Information Security News | AI Aggregator

Please be mindful of possible hallucinations. Verify information prior to taking action.
CISA and NSA Warn of BRICKSTORM Malware Attacking VMware ESXi and Windows Environments
Date: 2025-12-04 | Source: Cyber Security News
CISA and NSA issued a joint advisory on BRICKSTORM malware, a sophisticated backdoor targeting VMware ESXi and Windows environments, attributed to PRC state-sponsored actors. BRICKSTORM employs advanced evasion techniques and resilient C2 mechanisms using DNS-over-HTTPS and encrypted WebSocket connections. It allows attackers to manipulate virtual machines and extract credentials. Organizations are urged to upgrade VMware servers, block unauthorized DoH traffic, and enhance monitoring of service accounts to detect this threat.
CISA and NSA Warn of BRICKSTORM Malware Attacking VMware ESXi and Windows Environments
2025-12-04 | Recorded Future: CISA, NSA warn of China’s BRICKSTORM malware after incident response efforts
Chinese state-sponsored hackers are using BRICKSTORM malware to target government and IT sectors in the U.S., Canada, and Asia Pacific. CISA and NSA issued an advisory detailing its capabilities, including long-term access and stealthy operations. The malware primarily targets VMware vSphere and Windows environments, allowing attackers to extract credentials and manipulate files. Crowdstrike reported multiple intrusions since 2023, with a focus on stealing sensitive data and intellectual property from organizations, including legal and tech firms.
2025-12-04 | The Register: PRC spies Brickstromed their way into critical US networks and remained hidden for years
Chinese cyberspies have maintained long-term access to critical US networks using the Brickstorm backdoor, infecting at least eight government and IT organizations. The malware operates across Linux, VMware, and Windows. CISA reported that the intruders gained access in April 2024 and stole cryptographic keys. Google and CrowdStrike linked the attacks to a group called Warp Panda, which has targeted legal, technology, and manufacturing sectors. Recommendations include using an open-source scanner from Mandiant to detect Brickstorm.
2025-12-04 | The Register: PRC spies Brickstormed their way into critical US networks and remained hidden for years
Chinese cyberspies have maintained long-term access to critical US networks using the Brickstorm backdoor, infecting at least eight government and IT organizations. The malware operates across Linux, VMware, and Windows. CISA reported that intrusions began as early as April 2024, with sensitive data, including cryptographic keys, being stolen. Google and CrowdStrike linked the activity to a Chinese group, Warp Panda, which targets SaaS providers and Microsoft Azure environments, raising concerns over persistent access and potential sabotage.
2025-12-04 | Cyberscoop: Officials warn about expansive, ongoing China espionage threat riding on Brickstorm malware
Cybersecurity authorities revealed a China state-sponsored espionage campaign utilizing Brickstorm malware, which has infiltrated U.S. government, IT, and legal sectors since at least 2022. This sophisticated backdoor allows persistent access, averaging 393 days, for data theft and further malicious actions. CISA and NSA reported that dozens of organizations have been affected. The campaign employs advanced techniques to exploit cloud misconfigurations and targets poorly monitored devices, complicating detection efforts.
2025-12-05 | The Hacker News: CISA Reports PRC Hackers Using BRICKSTORM for Long-Term Access in U.S. Systems
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported that state-sponsored Chinese hackers are using a backdoor named BRICKSTORM to maintain long-term access to U.S. systems, particularly targeting government and IT sectors. BRICKSTORM, written in Golang, allows stealthy command-and-control operations and lateral movement within networks. The malware exploits vulnerabilities in VMware environments and has been linked to the hacking group Warp Panda, which has targeted multiple U.S. entities since at least 2022.
2025-12-05 | Cyber Security News: China-Nexus Hackers Exploiting VMware vCenter Environments to Deploy Web Shells and Malware Implants
A new threat actor, WARP PANDA, is targeting critical infrastructure in the U.S., exploiting VMware vCenter environments in legal, technology, and manufacturing sectors. Their toolkit includes BRICKSTORM malware, JSP web shells, and two implants, Junction and GuestConduit. They exploit vulnerabilities such as CVE-2024-21887 and CVE-2024-38812 for access, using advanced techniques like DNS-over-HTTPS and TLS encryption. Their operations demonstrate sophisticated persistence and evasion tactics within compromised networks.
2025-12-05 | Security Affairs: BRICKSTORM backdoor exposed: CISA warns of advanced China-backed intrusions
CISA has revealed details about the BRICKSTORM backdoor, linked to China-sponsored APTs, used for long-term persistence in compromised systems, particularly in Government Services and IT sectors. Active since March 2025, BRICKSTORM employs sophisticated techniques, including multiple encryption layers and lateral movement via stolen credentials. It can manipulate files, execute commands, and maintain stealth. Notably, intrusions often remain undetected for over a year, with significant focus on exploiting perimeter systems and zero-day vulnerabilities.
2025-12-05 | TechRadar: Chinese hackers used Brickworm malware to breach critical US infrastructure
Chinese state-sponsored hackers are using Brickworm malware to infiltrate government and IT networks globally, targeting VMware vSphere and Windows systems. A joint report by CISA, NSA, and the Canadian Centre for Cyber Security revealed that these actors maintain persistent access, exfiltrate files, and manipulate Active Directory. The report highlights risks of long-term espionage and sabotage, with incidents noted as early as April 2024. China denies these allegations, labeling the US as a "cyber-bully.
2025-12-05 | Infosecurity Magazine: China-Linked Warp Panda Targets North American Firms in Espionage Campaign
CrowdStrike has identified a cyber-espionage campaign by the China-linked group Warp Panda, targeting North American legal, technology, and manufacturing firms since at least 2022. The group employs advanced techniques, including the use of BRICKSTORM malware on VMware vCenter servers, and has been active in exploiting vulnerabilities and maintaining persistent access for intelligence-gathering aligned with Chinese government interests. CISA confirmed the use of BRICKSTORM for long-term access from April 2024 to September 2025.
2025-12-05 | Cybersecurity Dive: China-nexus actor targets multiple US entities with Brickstorm malware
A China-nexus threat actor, Warp Panda, targeted U.S. companies in various sectors, deploying Brickstorm malware after hacking VMware vCenter environments. The attacks occurred in summer 2025, exploiting internet-facing devices and valid credentials. Additional tools included JSP web shells and Golang implants. CISA and NSA issued warnings about state-supported hackers stealing virtual machine snapshots. The campaign aims to maintain persistent access and extract sensitive data for strategic advantage.
2025-12-05 | CSO Online: Chinese cyberspies target VMware vSphere for long-term persistence
Chinese state-sponsored threat actors are backdooring VMware vCenter and ESXi servers with a Go-written malware, BRICKSTORM, enabling long-term network persistence. A joint report by CISA, NSA, and Cyber Centre highlights that government services and IT sectors are primary targets. BRICKSTORM was first reported by Mandiant and Google in September, with an average undetected duration of 369 days. CISA analyzed eight samples, including one from a VMware vCenter server, which remained undetected for over 18 months.
Prompt Injection Flaw in GitHub Actions Hits Fortune 500 Firms
Date: 2025-12-04 | Source: Cyber Security News
A new class of prompt injection vulnerabilities, termed "PromptPwnd," affects GitHub Actions and GitLab CI/CD pipelines integrated with AI agents, impacting at least five Fortune 500 companies. The flaw allows untrusted user input to be injected into AI prompts, enabling unauthorized actions like editing pull requests and leaking sensitive credentials. Aikido Security recommends restricting AI toolsets, sanitizing user input, and treating AI output as untrusted code. Google patched a related vulnerability in its Gemini CLI within four days.
Prompt Injection Flaw in GitHub Actions Hits Fortune 500 Firms
2025-12-05 | Hack Read: PromptPwnd Vulnerability Exposes AI driven build systems to Data Theft
Aikido Security has identified a vulnerability named PromptPwnd affecting AI-driven build systems like GitHub Actions and GitLab CI/CD, which allows attackers to exploit prompt injection. This flaw enables unauthorized access to sensitive information, including security keys, by injecting malicious text into AI prompts. At least five Fortune 500 companies, including Google, were confirmed exposed. Security experts recommend limiting AI tool access and avoiding untrusted user input in prompts to mitigate risks.
2025-12-05 | CSO Online: AI in CI/CD pipelines can be tricked into behaving badly
AI agents in CI/CD pipelines can be manipulated to execute high-privilege commands via crafted GitHub issues or pull request texts. Researchers from Aikido Security identified this vulnerability, termed PromptPwnd, in workflows using GitHub Actions or GitLab CI/CD with AI tools like Gemini CLI and OpenAI Codex. Unsanctioned user inputs can lead to unintended repository edits, secret disclosures, or other significant impacts, highlighting the need for stricter input validation and oversight.
2025-12-05 | Cyberscoop: More evidence your AI agents can be turned against you
A vulnerability affecting major AI coding applications, including Google Gemini, Claude Code, and OpenAI’s Codex, has been discovered by Aikido researchers. This flaw allows malicious prompts to be sent to large language models (LLMs) through software development workflows, potentially compromising GitHub Actions. The models may execute harmful commands due to their inability to distinguish between data and instructions. Aikido reported the issue to Google, leading to a fix in Gemini CLI, but the core problem persists across many AI systems.
Researchers find Predator spyware is being used in several countries, including Iraq
Date: 2025-12-04 | Source: Recorded Future
Researchers report that Predator spyware, developed by Intellexa, is being used in Iraq and has connections to entities in Pakistan. While its use appears to have slowed in 2025, changes in domain naming may obscure ongoing activity. Intellexa's customers are also identified in Saudi Arabia, Kazakhstan, Angola, and Mongolia. The spyware has faced scrutiny, leading to sanctions against Intellexa and its founder. New companies linked to Intellexa have been detected, indicating an expanding operational network.
Researchers find Predator spyware is being used in several countries, including Iraq
2025-12-04 | TechCrunch: Sanctioned spyware maker Intellexa had direct access to government espionage victims, researchers say
Spyware maker Intellexa allegedly had remote access to government customers' surveillance systems, allowing staff to view personal data of hacked individuals via its Predator spyware. Amnesty International's report, based on leaked materials, indicates that Intellexa could access live surveillance systems, raising privacy concerns. In 2024, the U.S. sanctioned Intellexa's founder, Tal Dilian, for using spyware against Americans, marking a significant action against individuals in the spyware industry.
2025-12-04 | Cyberscoop: Intellexa remotely accessed Predator spyware customer systems, investigation finds
Leaked training videos reveal that Intellexa retained remote access to customer systems using its Predator spyware, raising human rights concerns. An investigation by Inside Story, Haaretz, and Amnesty International uncovered Intellexa's exploitation of malicious mobile ads and confirmed Predator's use in targeting activists in Egypt and a lawyer in Pakistan. Google reported Intellexa's ongoing use of zero-day vulnerabilities in mobile browsers, highlighting its prolific spyware operations.
2025-12-05 | Infosecurity Magazine: Predator Spyware Maker Intellexa Evades Sanctions, New Victims Identified
Spyware maker Intellexa continues operations despite US sanctions, as revealed in the "Intellexa Leaks" investigation. Reports from Google Threat Intelligence Group, Recorded Future, and Amnesty International detail Intellexa's exploitation of zero-day vulnerabilities, with the company linked to at least 15 exploits since 2021. New 'zero-click' attack vectors, particularly the 'Aladdin' system, allow silent infections via malicious ads without user interaction. Intellexa was fined by Greece's Data Protection Authority in 2023 for non-compliance.
2025-12-05 | The Hacker News: Intellexa Leaks Reveal Zero-Days and Ads-Based Vector for Predator Spyware Delivery
A human rights lawyer in Pakistan was targeted by Intellexa's Predator spyware via a malicious WhatsApp link, marking a first for civil society in the region. The spyware, similar to NSO Group's Pegasus, exploits zero-day vulnerabilities including CVE-2025-48543 and CVE-2023-41993. Intellexa's marketing materials reveal various delivery methods, including malicious ads and network injection systems. The company faces scrutiny for potentially retaining access to customer surveillance systems, raising human rights concerns.
2025-12-05 | Malwarebytes Labs: Leaks show Intellexa burning zero-days to keep Predator spyware running
Intellexa, a commercial spyware vendor, continues to operate its Predator spyware despite US sanctions and investigations. An investigation revealed Intellexa's use of zero-day vulnerabilities against mobile browsers, with Google TAG identifying 15 unique zero-days. Intellexa purchases these exploits, using them until patched. A zero-click infection mechanism, "Aladdin," delivers malware via malicious ads. Recommendations for safety include using ad blockers, keeping software updated, and employing real-time anti-malware solutions.
DDoS attack volume rises in Q3, fueled by Aisuru botnet
Date: 2025-12-03 | Source: Cybersecurity Dive
Distributed denial of service (DDoS) attacks surged 54% in Q3, driven by the Aisuru botnet, which includes 1-4 million hosts. Cloudflare reported an average of 14 hyper-volumetric attacks daily, peaking at 29.7 Tbps and 14.1 billion packets per second. Aisuru targeted critical sectors like telecommunications and finance. Microsoft neutralized a record 15.72 Tbps attack linked to Aisuru in October. Cloudflare mitigated 8.3 million DDoS attacks in Q3, a 40% year-over-year increase.
DDoS attack volume rises in Q3, fueled by Aisuru botnet
2025-12-03 | Cyber Security News: 29.7 Tbps DDoS Attack Via Aisuru Botnet Breaks Internet With New World Record
Aisuru botnet has set a new DDoS attack record at 29.7 Tbps, surpassing the previous 22 Tbps mark. The attack utilized a UDP "carpet bombing" technique, targeting 15,000 ports per second. Cloudflare mitigated the attack swiftly, preventing customer impact. The botnet comprises 1–4 million devices and has been responsible for 2,867 attacks in 2025, with a significant rise in volumetric DDoS incidents. Telecommunications and gaming sectors were heavily targeted, with geopolitical unrest influencing attack patterns.
2025-12-04 | The Hacker News: Record 29.7 Tbps DDoS Attack Linked to AISURU Botnet with up to 4 Million Infected Hosts
Cloudflare detected and mitigated a record 29.7 Tbps DDoS attack linked to the AISURU botnet, which has 1-4 million infected hosts. The attack lasted 69 seconds and targeted various sectors, including telecommunications and gaming. In 2025, Cloudflare mitigated 2,867 AISURU attacks, with 1,304 hyper-volumetric attacks in Q3 alone. DDoS attacks against AI companies surged by 347% in September 2025. The report highlights a significant increase in attack volume and sophistication.
2025-12-04 | Security Affairs: Cloudflare mitigates record 29.7 Tbps DDoS attack by the AISURU botnet
Cloudflare mitigated a record 29.7 Tbps DDoS attack from the AISURU botnet on December 4, 2025. The 69-second attack set a new volume record, targeting an undisclosed organization. Cloudflare's Q3 2025 DDoS Threat Report noted a 54% increase in attacks, averaging 14 per day, with significant spikes against AI firms and the Automotive sector. The report highlighted the growing sophistication of DDoS attacks and recommended organizations review their defense strategies against evolving threats.
2025-12-04 | The Register: Aisuru botnet turns Q3 into a terabit-scale stress test for the entire internet
The Aisuru botnet has emerged as a significant threat, launching record DDoS attacks from 1 to 4 million infected devices, peaking at 29.7 Tbps in Q3 2025. Cloudflare reported 2,867 Aisuru-linked attacks, with a 54% increase in hyper-volumetric assaults. Network-layer attacks rose sharply, comprising 71% of all attacks. Industries like IT, telecommunications, and automotive faced heightened targeting, with Indonesia as the top source of DDoS traffic. The evolving threat landscape poses challenges for traditional mitigation strategies.
2025-12-04 | TechRadar: This DDoS group just smashed the previous record with a 29.7 Tbps attack
The Aisuru botnet, comprising 1 to 4 million IoT devices, executed a record DDoS attack peaking at 29.7 Tbps, as detailed in Cloudflare's Q3 2025 report. The botnet launched an average of 14 hyper-volumetric attacks daily, targeting sectors like telecom, gaming, and finance. Notable incidents included a 6 Tbps attack on Gcore and a 15.72 Tbps attack on Microsoft. Cloudflare mitigated 1,304 attacks in Q3, with Aisuru's tactics evolving to bypass defenses.
2025-12-04 | Hack Read: Cloudflare Blocks Aisuru Botnet Powered Largest Ever 29.7 Tbps DDoS Attack
Cloudflare's Q3 2025 report reveals the Aisuru botnet launched a record DDoS attack peaking at 29.7 Tbps, utilizing UDP carpet-bombing. Aisuru, comprising 1 to 4 million compromised IoT devices, was responsible for 2,867 attacks this year, with a 54% increase in hyper-volumetric attacks. The IT & Services sector was most targeted, while AI companies saw a 347% traffic spike. Cloudflare emphasizes the need for automated defenses as attacks evolve faster than human response capabilities.
Critical Vulnerabilities in React and Next.js: everything you need to know
Date: 2025-12-03 | Source: Wiz
A critical vulnerability in React and Next.js allows unauthenticated remote code execution (RCE) due to insecure deserialization in default configurations. Identified as CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), it affects standard deployments. Exploitation has a near 100% success rate. 39% of cloud environments are vulnerable. Affected versions include React 19.0-19.2 and Next.js 14.3.0-canary, 15.x, and 16.x. Immediate upgrades to patched versions are recommended for mitigation.
Critical Vulnerabilities in React and Next.js: everything you need to know
2025-12-03 | The Hacker News: Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution
A critical vulnerability in React Server Components (CVE-2025-55182) allows unauthenticated remote code execution, with a CVSS score of 10.0. It affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of specific npm packages and has been patched in versions 19.0.1, 19.1.2, and 19.2.1. Additionally, Next.js is impacted (CVE-2025-66478) in versions >=14.3.0-canary.77, >=15, and >=16, with patches available. 39% of cloud environments are vulnerable; immediate updates are recommended.
2025-12-03 | Cyberscoop: Developers scramble as critical React flaw threatens major apps
A critical vulnerability, CVE-2025-55182, affecting React Server Components has been discovered, prompting urgent patches from Meta and affected hosting providers. The flaw allows unauthenticated attackers to achieve remote code execution, posing significant risks to web applications. Researchers warn of imminent exploitation, with potential impacts on sensitive data. Multiple frameworks, including Next.js and others, are affected. Vercel issued a separate CVE, CVE-2025-66478, related to its dependency on React.
2025-12-03 | The Register: 'Exploitation is imminent' as 39 percent of cloud environs have max-severity React hole
A maximum-severity RCE vulnerability in the React library, tracked as CVE-2025-55182, affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0, allowing unauthenticated attackers to execute malicious code. Approximately 39% of cloud environments are vulnerable. Upgrading to versions 19.0.1, 19.1.2, and 19.2.1 is recommended. Vercel has assigned CVE-2025-66478 for the same flaw. Immediate patching is critical due to the ease of exploitation and potential for widespread attacks.
2025-12-03 | Google Cloud: Responding to CVE-2025-55182: Secure your React and Next.js workloads
Meta and Vercel disclosed CVE-2025-55182, a critical vulnerability (CVSS 10.0) affecting React Server Components (versions 19 to 19.2.0) and Next.js (versions 15 to 16), allowing remote code execution. Patches are available in React 19.2.1 and Next.js. Google Cloud recommends updating to the latest versions and deploying a new Cloud Armor WAF rule to block exploitation attempts. Firebase Hosting users have automatic protections, while others must manually patch vulnerable packages.
2025-12-03 | Ars Technica: Admins and defenders gird themselves against maximum-severity server vuln
A maximum-severity vulnerability in React Server, disclosed on Wednesday, affects approximately 6% of all websites and 39% of cloud environments. The vulnerability allows hackers to execute malicious code on servers with just a single HTTP request, achieving near-100% reliability in exploitation. Due to React's widespread use and the ease of exploitation, it has been assigned a severity rating of 10. Security experts recommend immediate updates for all React-related applications to mitigate risks.
2025-12-04 | CSO Online: Developers urged to immediately upgrade React, Next.js
Developers using the React 19 library are urged to upgrade immediately due to a critical vulnerability in the React Server Components (RSC) Flight protocol, which allows attackers to remotely execute code. This vulnerability affects the React 19 ecosystem and frameworks like Next.js, which has its own CVE. The RSC Flight protocol facilitates communication between the client and server by transmitting serialized component trees.
2025-12-04 | Cyber Security News: Critical RSC Flaw in React and Next.js Enables Remote Attackers to Execute Malicious Code
A critical vulnerability in React and Next.js allows remote attackers to execute malicious code without authentication. The flaws, tracked as CVE-2025-55182 and CVE-2025-66478, affect specific versions of React Server Components and Next.js, with a CVSS score of 10.0. Exploitation requires sending a crafted HTTP request, leading to insecure deserialization. React has released fixes in versions 19.0.1, 19.1.2, and 19.2.1, while Next.js has issued hardened releases. Immediate upgrades are recommended.
2025-12-04 | Cyber Security News: New Scanner Tool for Detecting Exposed ReactJS and Next.js RSC Endpoints (CVE-2025-55182)
A new security assessment tool has been released to detect exposed React Server Components (RSC) endpoints related to CVE-2025-55182, a critical vulnerability in Next.js. Developed by a researcher known as Fatguru, the Python script uses “Surface Detection” to identify vulnerabilities without aggressive exploits. It checks for the RSC protocol and specific headers, flagging potentially dangerous endpoints. The tool requires Python 3 and supports both single and bulk scanning, outputting results in CSV format for reporting.
2025-12-04 | Help Net Security: Max-severity vulnerability in React, Node.js patched, update ASAP (CVE-2025-55182)
A critical vulnerability (CVE-2025-55182) in React Server Components allows unauthenticated attackers to achieve remote code execution. It affects React versions 19.0.0 to 19.2.0 and related packages. The vulnerability has been patched in React v19.2.1. Next.js applications are also impacted, with CVE-2025-66478 assigned for this issue. Users are advised to upgrade immediately, as 39% of cloud environments contain vulnerable versions. Cloudflare and Google Cloud have implemented protective measures.
2025-12-04 | Cybersecurity Dive: Critical vulnerabilities found in React and Next.js
Security researchers identified critical vulnerabilities in React Server Components (CVE-2025-55182) and Next.js (CVE-2025-66478), allowing unauthenticated remote-code execution due to unsafe deserialization. Both vulnerabilities have a severity score of 10 and require immediate patching. Configurations are vulnerable by default, with a high exploitation success rate. React and Vercel have issued guidance for updates. Approximately 40% of cloud environments are affected. The flaw was reported on Nov. 29 through the Meta Bug Bounty program.
2025-12-04 | Rapid7: React2Shell (CVE-2025-55182) - Critical unauthenticated RCE affecting React Server Components
On December 3, 2025, Meta disclosed CVE-2025-55182, a critical unauthenticated remote code execution vulnerability in React, rated 10.0 on the CVSS scale. It affects React applications supporting React Server Components and related frameworks like Next.js. No public exploit code exists yet, but organizations are urged to remediate urgently. Affected versions include 19.0, 19.1.0, 19.1.1, and 19.2.0, with updates available in versions 19.0.1, 19.1.2, and 19.2.1.
2025-12-04 | Flashpoint: Digital Supply Chain Risk: Critical Vulnerability Affecting React Allows for Unauthorized Remote Code Execution
A critical vulnerability, CVE-2025-55182, affecting all React versions since 19.0.0 allows unauthenticated remote code execution, posing significant risks to enterprise applications. Exploitation could lead to malware installation. Affected frameworks include next, react-router, and others. Mitigation involves upgrading to React versions 19.0.1, 19.1.2, or 19.2.1. CloudFlare has updated its WAF to protect against this vulnerability. Security teams are urged to act urgently and monitor updates from Flashpoint’s VulnDB.
2025-12-04 | Palo Alto: Critical Vulnerabilities in React Server Components and Next.js
On Dec. 3, 2025, critical RCE vulnerabilities were disclosed in React Server Components and Next.js, tracked as CVE-2025-55182 and CVE-2025-66478, with a CVSS score of 10.0. These flaws allow unauthenticated attackers to execute arbitrary code via insecure deserialization of HTTP requests. Affected versions include React 19.0-19.2 and Next.js 15.x-16.x. Immediate upgrades to patched versions are recommended. No exploitation reports exist as of the disclosure date.
2025-12-05 | AWS Security Blog: China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182)
China state-nexus threat groups, including Earth Lamia and Jackpot Panda, are actively exploiting the React2Shell vulnerability (CVE-2025-55182) disclosed on December 3, 2025. This critical vulnerability affects React 19.x and Next.js 15.x/16.x and allows unauthenticated remote code execution. AWS has implemented protective measures but emphasizes the need for customers to patch vulnerable applications immediately. Indicators of compromise include suspicious HTTP POST requests and unexpected command executions.
2025-12-05 | Cyber Security News: PoC Exploit Released for Critical React, Next.js RCE Vulnerability (CVE-2025-55182)
A PoC exploit for CVE-2025-55182, a critical RCE vulnerability in React Server Components, was released, scoring 10.0 on the CVSS. It affects React versions 19.0.0-19.2.0 and Next.js 15.x-16.x. The flaw, due to insecure deserialization, allows execution of arbitrary code via crafted HTTP requests. Discovered on November 29 and disclosed on December 3, it has prompted patches and a new scanner tool. Exploitation attempts have been reported, with 39% of cloud environments potentially vulnerable. Immediate upgrades are recommended.
2025-12-05 | Cyber Security News: China-Nexus Hackers Actively Exploiting React2Shell Vulnerability (CVE-2025-55182) in the Wild
China-nexus threat groups are exploiting the React2Shell vulnerability (CVE-2025-55182) in React Server Components, allowing remote code execution without authentication. Affected versions include React 19.x and Next.js 15.x and 16.x with App Router. AWS identified exploit traffic shortly after disclosure and implemented new defenses. Attackers are testing payloads to execute commands on compromised servers. Teams are advised to patch quickly and monitor for specific HTTP headers and unusual Node.js processes.
2025-12-05 | The Guardian: Cloudflare outage hits major web services including X, LinkedIn and Zoom – business live
Cloudflare experienced a significant outage affecting major websites, including LinkedIn and Zoom, due to a deliberate change in its Web Application Firewall aimed at mitigating a security vulnerability in React Server Components. The issue, which began around 9 AM UK time, was resolved shortly after, with Cloudflare confirming it was not a cyber attack. This incident raises concerns about reliance on a few technology providers and potential regulatory scrutiny regarding operational resilience in the digital economy.
2025-12-05 | The Guardian: Cloudflare apologises after latest outage takes down LinkedIn and Zoom
On Friday morning, Cloudflare experienced an outage affecting numerous websites, including LinkedIn, Zoom, and Downdetector. The issues began around 9am UK time, with users encountering "a large number of empty pages." Cloudflare implemented a potential fix and monitored the situation. Downdetector recorded over 4,500 reports related to the outage. Jake Moore from ESET highlighted the risks of relying on a single provider like Cloudflare, noting the vulnerabilities in the legacy network design.
2025-12-05 | ABC News: Cloudflare investigates outage that brought down sites including Zoom and LinkedIn
Cloudflare is investigating a morning outage on Friday that affected multiple global websites, including LinkedIn and Zoom. This incident marks the second outage in less than three weeks. The company reported that the issue, related to the Cloudflare Dashboard and APIs, has been resolved. The outage also disrupted flights at Edinburgh Airport, which resumed after the issue was fixed. Previous outages have impacted services like ChatGPT and Microsoft Azure.
2025-12-05 | The Hacker News: Chinese Hackers Have Started Exploiting the Newly Disclosed React2Shell Vulnerability
Chinese hacking groups Earth Lamia and Jackpot Panda are exploiting the newly disclosed React2Shell vulnerability (CVE-2025-55182, CVSS 10.0) shortly after its announcement. This flaw allows unauthenticated remote code execution and has been patched in React versions 19.0.1, 19.1.2, and 19.2.1. AWS reports these actors targeting various sectors globally, employing tactics to scan for unpatched systems and execute commands to access sensitive information.
2025-12-05 | The Register: Beijing-linked hackers are hammering max-severity React bug, AWS warns
Amazon has reported that Beijing-linked hackers are actively exploiting the critical React vulnerability CVE-2025-55182, which allows remote code execution due to unsafe deserialization. This exploitation began within hours of the vulnerability's disclosure, with approximately 39% of cloud environments still vulnerable. AWS has implemented mitigations but emphasizes the necessity of immediate patching. React released patches on the same day of the vulnerability announcement, but organizations delaying updates should assume they have been targeted.
2025-12-05 | Cyber Security News: Cloudflare Outage Traced to Emergency React2Shell Patch Deployment
Cloudflare experienced a 25-minute outage on December 3 due to an internal change in its Web Application Firewall (WAF) aimed at mitigating CVE-2025-55182, a critical RCE vulnerability in React Server Components known as "React2Shell." The disruption affected numerous services, including Coinbase and Claude AI, causing 500 Internal Server Errors. Cloudflare rolled back the changes by 9:20 UTC. Users are urged to update to React 19.2.1 and newer Next.js versions to address the vulnerability.
2025-12-05 | Infosecurity Magazine: React.js Hit by Maximum-Severity 'React2Shell' Vulnerability
A critical remote code execution vulnerability, CVE-2025-55182 (React2Shell), was disclosed on November 29, 2025, affecting React.js and Next.js frameworks. It has a CVSS score of 10.0, allowing attackers to execute arbitrary code on vulnerable servers without authentication. Exploitation is nearly 100% successful in default configurations. Security teams are advised to upgrade to fixed versions (React 19.0.1, 19.1.2, 19.2.1) and consider migrating Next.js apps to the Pages Router if applicable.
2025-12-05 | Recorded Future: Chinese hackers exploiting React2Shell bug impacting countless websites, Amazon researchers say
Chinese state-backed hackers are exploiting a critical vulnerability, CVE-2025-55182 (React2Shell), in the React Server Components tool, affecting 50 million websites. Disclosed on November 29, the bug has a severity score of 10/10. Amazon's CISO reported multiple Chinese threat groups, including Earth Lamia and Jackpot Panda, targeting various sectors. Attackers are using both automated tools and manual exploits, with concerns that full exploitation will escalate as public proof-of-concept exploits circulate.
2025-12-05 | TechRadar: Experts warn this 'worst case scenario' React vulnerability could soon be exploited - so patch now
A critical vulnerability (CVE-2025-55182) in React Server Components allows pre-authentication remote code execution (RCE) in versions 19.0–19.2.0, affecting frameworks like Next and React Router. Patches are available in versions 19.0.1, 19.1.2, and 19.2.1. Experts warn of imminent exploitation with a near 100% success rate, urging immediate upgrades to mitigate risks. The flaw impacts a significant portion of cloud environments, including major platforms like Facebook and Netflix.
2025-12-05 | The Register: Cloudflare blames Friday outage on borked fix for React2shell vuln
Cloudflare experienced a significant outage affecting 28% of its HTTP traffic due to a failed fix for the React2Shell vulnerability (CVE-2025-55182) in the React JavaScript library. The flaw allows remote code execution without authentication and is actively exploited by state-affiliated groups, including those from China. The UK government and CISA have warned of its exploitation. Security experts suggest that the rapid dissemination of proof-of-concepts (POCs) and misinformation complicates the response to such vulnerabilities.
2025-12-05 | Cybersecurity Dive: State-linked groups target critical vulnerability in React Server Components
Researchers warn that critical vulnerabilities in Meta’s React Server Components and Next.js are under threat from state-linked groups, particularly Earth Lamia and Jackpot Panda, who attempted to exploit CVE-2025-55182 shortly after its disclosure. The vulnerability, known as React2Shell, allows remote code execution via unsafe deserialization. The Cybersecurity and Infrastructure Security Agency has added it to its Known Exploited Vulnerabilities catalog. React has issued a patch and urges immediate upgrades.
2025-12-05 | Cyberscoop: Attackers hit React defect as researchers quibble over proof
A critical vulnerability, React2Shell (CVE-2025-55182), affecting React Server Components, was disclosed by Meta and the React team. It allows unauthenticated remote-code execution and has a CVSS rating of 10. Multiple organizations have reported exploitation attempts, including credential theft and cryptojacking. The vulnerability affects 39% of cloud environments using React or Next.js. Various threat groups, including state-nexus actors, are actively exploiting it. Patching has led to some operational risks, as seen with Cloudflare's temporary outage.
2025-12-05 | CSO Online: Warning: React2Shell vulnerability already being exploited by threat actors
The React2Shell vulnerability in React Server Components (RSC) is currently being exploited by threat actors, with Greynoise reporting opportunistic and automated attempts to leverage this unsafe deserialization flaw. The urgency to address this vulnerability has increased as it is being incorporated into Mirai and other botnet exploitation kits. Immediate action is recommended to mitigate potential impacts on IT environments.
Microsoft Patched Windows LNK Vulnerability Exploited by Hackers in the Wild as 0-Day
Date: 2025-12-03 | Source: Cyber Security News
Microsoft patched the Windows shortcut vulnerability CVE-2025-9491, exploited since 2017 to conceal malicious commands in LNK files. The flaw was addressed in November 2025 updates but not listed among 63 patched vulnerabilities. Active exploitation by threat actor UNC6384 targeting diplomatic entities prompted the patch. The update modified how LNK file properties display, while ACROS Security offered a micropatch to truncate long Target fields. Recommendations include enhanced endpoint detection and security awareness training.
Microsoft Patched Windows LNK Vulnerability Exploited by Hackers in the Wild as 0-Day
2025-12-03 | The Hacker News: Microsoft Silently Patches Windows LNK Flaw After Years of Active Exploitation
Microsoft has patched CVE-2025-9491, a Windows LNK file vulnerability exploited since 2017, allowing remote code execution via crafted .LNK files. The flaw was used by state-sponsored groups for espionage and data theft. The patch ensures the full Target command is visible in the Properties dialog, addressing the issue of malicious commands being concealed. 0patch offers an alternative solution by warning users about LNK files with over 260 characters. The vulnerability was previously deemed non-critical by Microsoft.
2025-12-04 | CSO Online: Windows shortcuts’ use as a vector for malware may be cut short
A recent issue with Windows LNK shortcut files, exploited by attackers to conceal malicious commands, may be addressed with new patches. The vulnerability allowed harmful payloads to be masked in the Target field of LNK files through whitespace padding, making them undetectable during inspection. Despite the ongoing abuse of this method, Microsoft has not classified it as a vulnerability.
2025-12-04 | TechRadar: Microsoft quietly patches LNK vulnerability that's been weaponized for years
Microsoft's November 2025 Patch Tuesday addressed 63 vulnerabilities, including CVE-2025-9491, a critical flaw in Windows LNK files allowing Remote Code Execution (RCE) attacks. This vulnerability, exploited since 2017 by state-sponsored groups from China, Iran, North Korea, and Russia, has a severity rating of 7.8/10. It enables attackers to hide malicious commands in shortcut files, misleading users about their safety. Microsoft initially downplayed the issue but acted after cybersecurity warnings.
2025-12-04 | The Register: Microsoft quietly shuts down Windows shortcut flaw after years of espionage abuse
Microsoft has addressed a critical Windows shortcut flaw, CVE-2025-9491, exploited by espionage and cybercrime groups. This vulnerability allowed malicious .lnk files to conceal harmful commands, enabling hidden code execution. Trend Micro noted that 11 state-sponsored groups used this flaw for cyber espionage. Microsoft implemented a fix in November 2025, revealing full command details in shortcut properties. Despite the patch, many systems may still be compromised, highlighting ongoing risks.
Two Virginia Men Arrested for Conspiring to Destroy Government Databases
Date: 2025-12-03 | Source: US Department of Justice
Two Virginia men, Muneeb and Sohaib Akhter, were arrested for conspiring to destroy U.S. government databases and steal sensitive information. Indicted on Nov. 13, they allegedly deleted 96 databases, including those related to Freedom of Information Act matters, and accessed unauthorized information post-termination. Muneeb faces charges including computer fraud and aggravated identity theft, with potential penalties totaling 45 years. Sohaib is charged with conspiracy and password trafficking, facing up to 6 years.
Two Virginia Men Arrested for Conspiring to Destroy Government Databases
2025-12-03 | Cyberscoop: Twins with hacking history charged in insider data breach affecting multiple federal agencies
Twin brothers Muneeb and Sohaib Akhter were arrested for allegedly stealing and destroying government data from a contractor after being fired. The breach affected multiple federal agencies, including DHS and IRS. Muneeb is accused of deleting 96 databases and stealing sensitive information, while Sohaib allegedly trafficked a password for Opexus systems. Both have prior convictions for cybercrimes. Muneeb faces up to 45 years in prison, and Sohaib up to six years.
2025-12-04 | Recorded Future: Virginia brothers charged with hacking, deleting federal databases holding FOIA info
Twin brothers Muneeb and Sohaib Akhter, 34, were arrested for allegedly hacking and deleting approximately 96 U.S. government databases containing FOIA information. They abused their roles as federal contractors to harm their employer after being fired. Muneeb faces charges including aggravated identity theft and could receive 45 years in prison, while Sohaib faces a maximum of six years. Their actions compromised sensitive government data and disrupted agency operations. Both have a history of cybercrimes.
2025-12-04 | The Register: Twins who hacked State Dept hired to work for gov again, now charged with deleting databases
Twin brothers Muneeb and Sohaib Akhter, previously convicted of hacking, were indicted on November 13 for allegedly deleting 96 US government databases shortly after being fired from Opexus on February 18. They accessed systems without authorization, used AI to cover their tracks, and deleted sensitive records, including those related to Homeland Security. Muneeb faces up to 45 years in prison, while Sohaib could face a maximum of six years. Both remain in custody pending hearings.
2025-12-04 | Ars Technica: In comedy of errors, men accused of wiping gov databases turned to an AI tool
Muneeb and Sohaib Akhter, federal contractors previously convicted for hacking, were charged for attempting to delete sensitive government databases immediately after being fired. On February 18, they accessed their employer’s system, deleting 96 databases containing sensitive information. Lacking the necessary skills, they turned to an AI tool for guidance on covering their tracks. Prosecutors noted their discussions about removing evidence and their subsequent actions to wipe their laptops.
University of Pennsylvania joins list of victims from Clop's Oracle EBS raid
Date: 2025-12-02 | Source: The Register
The University of Pennsylvania has reported a data breach involving Clop's exploitation of a zero-day vulnerability in Oracle's E-Business Suite (CVE-2025-61882). On November 11, the university discovered that personal data of 1,488 Maine residents was compromised. Following the breach, Penn patched its systems and notified federal law enforcement. The university is offering two years of credit monitoring and is working with cybersecurity experts to enhance security measures.
University of Pennsylvania joins list of victims from Clop's Oracle EBS raid
2025-12-02 | Cyberscoop: University of Pennsylvania joins growing pool of Oracle customers impacted by Clop attacks
The University of Pennsylvania confirmed a data breach affecting nearly 1,500 Maine residents due to a Clop ransomware attack exploiting vulnerabilities in Oracle E-Business Suite in August. The university, along with other Ivy League institutions, was unaware of the breach until Oracle disclosed the vulnerability in September. Personal information was stolen, but details on the data type remain unspecified. Other impacted organizations include Dartmouth College, Harvard University, and Cox Enterprises, among others.
2025-12-03 | Recorded Future: University of Phoenix says 'numerous individuals' impacted by Oracle EBS breach
The University of Phoenix reported a data breach involving Oracle E-Business Suite, affecting "numerous individuals." The breach was detected on November 21, revealing unauthorized access to personal information, including Social Security numbers and bank details, dating back to August. The incident is linked to a vulnerability exploited by the Clop extortion group, which has targeted multiple institutions. The university's parent company has cybersecurity insurance to cover related costs.
2025-12-03 | Security Affairs: University of Pennsylvania and University of Phoenix disclose data breaches
The University of Pennsylvania and the University of Phoenix reported data breaches linked to a cyberattack on Oracle E-Business Suite. Penn confirmed unauthorized access to its EBS environment, revealing that personal data was compromised. They are notifying affected individuals and offering 24 months of complimentary credit monitoring. The University of Phoenix also acknowledged a breach involving personal information, including names, social security numbers, and bank account details, accessed in August 2025.
Researchers Capture Lazarus APT's Remote-Worker Scheme Live on Camera
Date: 2025-12-02 | Source: The Hacker News
A joint investigation by BCA LTD, NorthScan, and ANY.RUN revealed a Lazarus Group scheme involving remote IT workers. Researchers observed operators using a fake job recruitment process to gain access to victims' laptops. The operation utilized AI tools for job applications, browser-based OTP generators for 2FA, and Google Remote Desktop for persistent control. The findings highlight the risks of remote hiring as a vector for identity theft and internal compromises, urging companies to raise awareness and implement safeguards.
Researchers Capture Lazarus APT's Remote-Worker Scheme Live on Camera
2025-12-02 | Cyber Security News: Researchers Expose Lazarus Recruitment Pipeline Live on Camera Through Honeypot Operation
A collaborative investigation by BCA LTD, ANYRUN, and NorthScan exposed the recruitment tactics of the Lazarus Group, revealing their "Famous Chollima" attack cycle through a honeypot operation. Researchers documented attackers, including a recruiter named “Blaze,” using compromised systems to infiltrate organizations. The findings highlight the group's shift towards recruiting insiders for network access, emphasizing the need for vigilance regarding job postings in sensitive sectors. Technical indicators from the investigation will be released soon.
2025-12-03 | Security Affairs: Researchers spotted Lazarus’s remote IT workers in action
Researchers uncovered a Lazarus APT scheme involving remote IT workers linked to North Korea's Chollima unit. The investigation revealed operators using fake identities to infiltrate organizations in finance, crypto, healthcare, and engineering. They utilized AI tools to pass interviews and gain control of victim laptops without deploying malware. The operation was recorded in a controlled environment, highlighting tactics like identity theft and remote access through tools like Google Remote Desktop and Astrill VPN. Recommendations include raising awareness and providing secure reporting channels for suspicious contacts.
2025-12-03 | TechRadar: North Korean 'fake worker' scheme caught live on camera
Researchers from BCA Ltd, Northscan, and ANY.RUN exposed tactics of North Korean hackers from the Lazarus group during a 'malicious interview' campaign. They tricked the hackers into using sandbox environments disguised as legitimate laptops. The criminals, known as 'Famous Chollima,' recruited engineers to act as fronts, offering 20-30% of salaries. Tools used included browser-based OTP generators and AI automation to bypass 2FA. This research aids security teams in understanding and defending against such threats.
2025-12-04 | Cyber Security News: Lazarus Group’s IT Workers Scheme Hacker Group Caught Live On Camera
Lazarus Group's Chollima unit was caught using a remote IT worker scheme, employing identity theft and off-the-shelf tools to infiltrate Western finance and crypto firms. Researchers created fake laptops to monitor the group's activities, revealing their reliance on AI-driven job automation and consumer VPNs. The operation highlights the need for tighter identity verification and skepticism towards remote job offers, amid ongoing U.S. law enforcement actions against North Korean IT worker schemes linked to significant thefts.
MuddyWater cyber campaign adds new backdoors in latest wave of attacks
Date: 2025-12-02 | Source: Help Net Security
ESET researchers report on the MuddyWater cyberespionage group, linked to Iran, which has refined its tactics in a recent campaign targeting various sectors in Israel and one confirmed victim in Egypt. The group deployed a new backdoor, MuddyViper, and a loader named Fooder, which disguises itself as a game. Initial access was gained through spearphishing emails with malicious PDF attachments. The campaign showcases advanced techniques, including custom delays and multiple credential stealers, indicating a technical evolution in their operations.
MuddyWater cyber campaign adds new backdoors in latest wave of attacks
2025-12-02 | The Hacker News: Iran-Linked Hackers Hit Israeli Sectors with New MuddyViper Backdoor in Targeted Attacks
Iranian hackers, linked to the MuddyWater group, have targeted various Israeli sectors using a new backdoor called MuddyViper. The attacks, attributed to Iran's MOIS, focus on local authorities, healthcare, and technology, employing phishing and VPN vulnerabilities. The MuddyViper backdoor allows for extensive system control and data exfiltration. Additionally, a leak revealed details about Iranian cyber operations, including the structure of their hacking units and tools used in espionage campaigns.
2025-12-02 | Security Affairs: MuddyWater strikes Israel with advanced MuddyViper malware
Iran-linked APT group MuddyWater targeted Israeli organizations and one Egyptian entity with the MuddyViper backdoor between September 30, 2024, and March 18, 2025. The campaign utilized a Fooder loader disguised as a Snake game to deploy MuddyViper, which steals system info and credentials. Advanced techniques included using the CNG Windows cryptographic API and go-socks5 reverse tunnels. ESET noted the group's evolving sophistication and reliance on spearphishing and custom tools for stealth and persistence.
2025-12-02 | Recorded Future: Iran-linked hackers target Israeli, Egyptian critical infrastructure through phishing campaign
Iran-linked hackers, MuddyWater, targeted critical infrastructure in Israel and Egypt from September 2024 to March 2025 using a phishing campaign. The operation involved spearphishing emails with PDF attachments leading to spyware disguised as the Snake game. A new backdoor, MuddyViper, exfiltrated Windows credentials and browser data. The custom loader, Fooder, enhanced evasion tactics. The campaign demonstrated technical evolution with advanced tools and strategic targeting, deploying multiple credential stealers post-compromise.
2025-12-03 | Cyber Security News: MuddyWater Attacks Critical Infrastructure With Custom Malware and Improved Tactics
MuddyWater, an Iran-aligned cyberespionage group, has targeted critical infrastructure in Israel and Egypt from September 2024 to March 2025. Their campaign utilizes custom malware, including the "Fooder" loader and "MuddyViper" backdoor, employing spearphishing tactics with links to legitimate-looking RMM software. The malware executes in memory, uses AES encryption, and employs social engineering techniques to harvest credentials. This marks a significant evolution in their operational tactics, focusing on stealth and persistence.
2025-12-03 | TechRadar: Iranian hacker group deploys malicious Snake game to target Egyptian and Israeli critical infrastructure
An Iranian-aligned hacking group, MuddyWater, has shifted tactics to target Israeli and Egyptian critical infrastructure, employing a new backdoor called MuddyViper, delivered via a loader disguised as the Snake game. The campaign involved spearphishing emails with PDF attachments linking to malicious software hosted on file-sharing services. MuddyViper can collect system information, execute commands, and steal credentials. The group targeted 17 organizations in Israel and one in Egypt across various sectors.
Google addresses 107 Android vulnerabilities, including two zero-days
Date: 2025-12-01 | Source: Cyberscoop
Google's December security update for Android addressed 107 vulnerabilities, including two zero-days: CVE-2025-48633 and CVE-2025-48572, both high-severity flaws in the Android framework. The most severe vulnerability, CVE-2025-48631, allows remote denial of service. The update includes two patch levels (2025-12-01 and 2025-12-05) and fixes for various components from Arm, MediaTek, Unisoc, and Qualcomm. Source code for the vulnerabilities will be available in the Android Open Source Project repository by Wednesday.
Google addresses 107 Android vulnerabilities, including two zero-days
2025-12-02 | The Hacker News: Google Patches 107 Android Flaws, Including Two Framework Bugs Exploited in the Wild
Google released security updates for Android on December 1 and 5, 2025, addressing 107 vulnerabilities, including two high-severity flaws exploited in the wild: CVE-2025-48633 (information disclosure) and CVE-2025-48572 (elevation of privilege). A critical vulnerability, CVE-2025-48631, could lead to remote denial-of-service. Users are urged to update their devices promptly. This follows previous fixes for two actively exploited Linux Kernel vulnerabilities (CVE-2025-38352, CVE-2025-48543).
2025-12-02 | Cyber Security News: Google Patches Android 0-Day Vulnerabilities Exploited in the Wild
Google has released critical updates for Android addressing multiple zero-day vulnerabilities, including CVE-2025-48633 and CVE-2025-48572, both classified as high severity. CVE-2025-48633 allows unauthorized information disclosure, while CVE-2025-48572 enables privilege escalation. The most severe vulnerability, CVE-2025-48631, can cause remote denial-of-service attacks without requiring authentication. Users are urged to install updates immediately, especially for Android versions 13-16, and ensure Google Play Protect is enabled.
2025-12-02 | Security Affairs: Google’s latest Android security update fixes two actively exploited flaws
Google's December 2025 Android security update addresses 107 vulnerabilities, including two actively exploited flaws: CVE-2025-48572 (elevation of privilege) and CVE-2025-48633 (information disclosure). The update features two patch levels (12-01, 12-05) for quicker fixes. Critical vulnerabilities in closed-source components include CVE-2025-47319 and CVE-2025-47372. The most severe issue could lead to remote denial of service without additional execution privileges.
2025-12-02 | Infosecurity Magazine: Google Releases Patches for Android Zero-Day Flaws Exploited in the Wild
On December 1, Google released its Android Security Bulletin addressing 107 zero-day vulnerabilities in Android and AOSP. Patches for 51 flaws were disclosed, including two high-severity information disclosure issues (CVE-2025-48633 and CVE-2025-48572) affecting Android 13-16, which may be under targeted exploitation. A critical vulnerability (CVE-2025-48631) could lead to remote denial of service. Additional patches for 56 vulnerabilities in various components will be released on December 5.
2025-12-02 | Malwarebytes Labs: Google patches 107 Android flaws, including two used to hijack devices
Google's December 2025 Android Security Bulletin addresses 107 vulnerabilities, including two high-severity flaws actively exploited: CVE-2025-48633, with limited details, and CVE-2025-48572 (CVSS 7.4), both in the Android framework. Users are advised to update devices to patch these issues, install apps only from official stores, verify app developers, and use anti-malware solutions. Keeping Android and apps updated is crucial for protection against known vulnerabilities.
2025-12-02 | Malwarebytes Labs: Google patches 107 Android flaws, including two being actively exploited
Google's December 2025 Android Security Bulletin addresses 107 vulnerabilities, including two high-severity flaws (CVE-2025-48633 and CVE-2025-48572) actively exploited. The vulnerabilities stem from improper input validation in the Android application framework, allowing local apps to access sensitive data or execute arbitrary code. Users are advised to install apps only from official stores, verify app developers, and keep devices updated to mitigate risks. Patches are available for Android versions 13 to 16.
2025-12-02 | TechRadar: 107 Android flaws just got patched by Google - here's how to make sure you're up to date
Google patched over 100 Android vulnerabilities, including two zero-days (CVE-2025-48633, CVE-2025-48572) exploited in spyware campaigns. A critical DoS vulnerability (CVE-2025-48631) was also fixed. These flaws affect Android versions 13-16 and were found in System, Kernel, and Framework components, impacting manufacturers like Arm, MediaTek, and Qualcomm. Users are urged to update immediately, as the fixes are released in two levels (2025-12-01 and 2025-12-05).
2025-12-02 | Help Net Security: Google fixes Android vulnerabilities “under targeted exploitation” (CVE-2025-48633, CVE-2025-48572)
Google has patched 51 Android vulnerabilities, including two high-severity flaws (CVE-2025-48633, CVE-2025-48572) potentially under targeted exploitation. CVE-2025-48633 allows access to sensitive information, while CVE-2025-48572 may enable privilege escalation. The December 1 patches are available for Android 13, 14, 15, and 16, with additional patches for 56 other flaws scheduled for December 5. Samsung and Motorola have begun releasing updates, with others expected soon. Users are advised to check for updates.
2025-12-02 | The Register: Two Android 0-day bugs disclosed and fixed, plus 105 more to patch
Two high-severity Android zero-day vulnerabilities, CVE-2025-48633 (information disclosure) and CVE-2025-48572 (elevation of privilege), were exploited before being patched in Google's December security bulletin. Additionally, 105 other vulnerabilities were addressed, including seven critical bugs. Notably, CVE-2025-48631 could lead to remote denial of service. Qualcomm's CVE-2025-47319 and CVE-2025-47372 also pose significant risks. Users are urged to update their Android software promptly.
2025-12-02 | Security Affairs: U.S. CISA adds Android Framework flaws to its Known Exploited Vulnerabilities catalog
U.S. CISA has added two Android Framework vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2025-48572 (Privilege Escalation) and CVE-2025-48633 (Information Disclosure). Google’s December update patched 107 vulnerabilities, including these two, which are under limited exploitation. Federal agencies must address these vulnerabilities by December 23, 2025, per Binding Operational Directive 22-01. Experts recommend private organizations also review and mitigate these vulnerabilities.
2025-12-03 | Cyber Security News: CISA Warns of Android 0-Day Vulnerability Exploited in Attacks
CISA has added two critical Android Framework vulnerabilities, CVE-2025-48572 (privilege escalation) and CVE-2025-48633 (information disclosure), to its Known Exploited Vulnerabilities catalog due to active exploitation. Federal agencies must apply patches by December 23, 2025. These vulnerabilities can allow attackers to gain elevated permissions and extract sensitive data. CISA recommends immediate patching, enabling automatic updates, and monitoring for indicators of compromise to enhance security.
2025-12-03 | Tomsguide: Google just fixed 107 security flaws including two zero-days — update your Android phone right now
Google's December 2025 Android Security Bulletin addresses 107 vulnerabilities, including two zero-day flaws: CVE-2025-48633 (information disclosure) and CVE-2025-48572 (elevation of privilege), both actively exploited. A critical DoS flaw, CVE-2025-48631, was also fixed. The vulnerabilities affect Android versions 13-16, with 51 flaws in the Android Framework and System, and 56 in the Kernel. Users are advised to keep devices updated and consider newer models for ongoing support.
India Orders Phone Makers to Pre-Install Government App to Tackle Telecom Fraud
Date: 2025-12-01 | Source: The Hacker News
India's telecommunications ministry has mandated that mobile device manufacturers preload the Sanchar Saathi app on all new phones within 90 days. This app, which cannot be deleted, allows users to report telecom fraud, block stolen devices, and check mobile connections in their name. Since its May 2023 launch, it has blocked over 4.2 million lost devices. The directive aims to enhance telecom cybersecurity against threats like spoofed IMEI numbers.
India Orders Phone Makers to Pre-Install Government App to Tackle Telecom Fraud
2025-12-01 | The Guardian: India orders phone makers to preload devices with state-owned cyber safety app
India's telecoms ministry has mandated that smartphone manufacturers preload the state-owned Sanchar Saathi cybersecurity app on all new devices, which cannot be deleted. This order, effective from November 28, gives companies 90 days to comply. The app aims to combat cybercrime by tracking lost or stolen phones and blocking fraudulent connections. Critics, including privacy advocates, express concerns over user consent and the implications for companies like Apple, which traditionally resists such government mandates.
2025-12-02 | Cyber Security News: India Mandates ‘Undeletable’ Government Cybersecurity App for All Smartphones
India's Department of Telecommunications has mandated that smartphone manufacturers preload the government cybersecurity app "Sanchar Saathi" on all new devices within 90 days, starting November 28, 2025. The app, designed to combat digital fraud and cybercrime, includes features for reporting fraud, blocking stolen devices, managing connections, and verifying device authenticity. Concerns over privacy and user trust have arisen due to the app's undeletable nature and extensive system access. Manufacturers must also update existing devices to include the app.
2025-12-02 | The Register: India demands smartphone makers install a government app on every handset
India's government mandates that all smartphone manufacturers install the "Sanchar Saathi" app on devices within 90 days, preventing users from removing it. The app allows users to report suspected fraud and block stolen devices, while also verifying IMEI numbers. It aims to enhance cybersecurity and combat telecom fraud. Critics argue it may infringe on privacy, as the app accesses call logs and messages. The directive requires the app to be pre-installed and fully functional upon device setup.
2025-12-02 | ABC News: India mandates pre-installation of government cyber safety app on all smartphones
India's telecoms ministry has mandated that all new smartphones must pre-install the government cybersecurity app "Sanchar Saathi" within 90 days, preventing users from deleting it. The app aims to combat telecom fraud and enhance cybersecurity, having already facilitated the recovery of over 700,000 lost devices. Privacy advocates express concerns over user consent and potential surveillance implications. The order may face pushback from manufacturers like Apple, which typically does not allow third-party app pre-installation.
2025-12-02 | BBC News: India tells smartphone makers to put state-run cyber safety app on new devices
India has mandated that all new smartphones come pre-loaded with the state-run Sanchar Saathi cybersecurity app, which must remain functional and cannot be disabled. This order, effective within 90 days, aims to help users verify device authenticity and report misuse. Critics argue it infringes on privacy rights, as the app can access calls, messages, and files. The government claims users can delete the app, but details on how to do so remain unclear. Compliance reports from manufacturers are due in 120 days.
2025-12-02 | TechCrunch: India plans to verify and record every smartphone in circulation
India's telecom ministry is expanding its anti-theft and cybersecurity initiative to include all smartphones, requiring verification of devices through a central IMEI database. The Sanchar Saathi app, mandated for pre-installation on new phones, has blocked over 4.2 million devices and traced 2.6 million. Critics raise privacy concerns, arguing it increases state surveillance. The initiative aims to combat cybercrime and fraud in the second-hand market, but lacks clarity on data storage and access safeguards.
2025-12-02 | Recorded Future: India faces backlash over government cyber safety app mandate
India's government mandated that smartphone manufacturers, including Apple, preload the Sanchar Saathi app on new devices to combat fraud and phone theft. The app must be non-removable and also added to existing devices via updates. Apple plans to inform officials it cannot comply due to security concerns. Additionally, new rules require messaging services to link accounts to SIM cards and enforce automatic logouts, raising concerns about user disruption and the effectiveness of these measures against fraud.
2025-12-02 | The Hacker News: India Orders Messaging Apps to Work Only With Active SIM Cards to Prevent Fraud and Misuse
India's Department of Telecommunications (DoT) has mandated that messaging apps like WhatsApp and Signal must operate only with active SIM cards linked to users' mobile numbers within 90 days. This amendment aims to combat phishing and cyber fraud by ensuring that accounts cannot function without an active SIM, thus closing security gaps exploited by criminals. The directive includes periodic session logouts and re-authentication to reduce account takeover risks and enhance traceability for scams.
2025-12-03 | Security Affairs: India mandates SIM-linked messaging apps to fight rising fraud
India's Department of Telecommunications mandates that messaging apps like WhatsApp and Telegram must operate only with active SIM cards linked to users' phone numbers to combat fraud. The new rules, part of the 2024 Telecom Cyber Security Rules, require compliance within 90 days and aim to prevent misuse of telecom identifiers. Key measures include auto-logout of web sessions every six hours to enhance security and traceability, addressing cyber-fraud losses exceeding ₹22,800 crore in 2024.
2025-12-03 | BBC News: India scraps order to pre-install state-run cyber safety app on smartphones
India has withdrawn its order requiring smartphone manufacturers to pre-install the Sanchar Saathi cyber safety app, which sparked privacy concerns. The app, downloaded by 14 million users and reporting 2,000 frauds daily, faced backlash from cybersecurity experts and major companies like Apple and Samsung. The Minister of Communications dismissed surveillance fears, while digital advocacy groups welcomed the decision but await further legal clarification under the Cyber Security Rules, 2024.
2025-12-03 | ABC News: India rolls back order to preinstall cybersecurity app on smartphones
India's telecom ministry has rescinded its mandate for smartphone manufacturers to preinstall the "Sanchar Saathi" cybersecurity app on new devices. Initially ordered to be installed within 90 days, the app faced backlash over privacy concerns. The ministry noted a surge in downloads, with 600,000 new users in one day, but emphasized that preinstallation would no longer be mandatory. The app, launched in January, helps users track lost phones and combat fraudulent connections, with 14 million downloads to date.
2025-12-03 | TechCrunch: After intense backlash, India pulls mandate to preinstall government app on smartphones
India has reversed its mandate requiring smartphone manufacturers to pre-install the Sanchar Saathi app, an anti-theft and cybersecurity tool, following public backlash over privacy concerns. The app, launched in January 2025, has been downloaded 14 million times and reports on 2,000 cyber-fraud incidents daily. Critics warned that mandatory installation would grant excessive state access to users' devices. The telecom ministry has yet to issue formal instructions reflecting this change.
2025-12-03 | The Guardian: India revokes order to preload smartphones with state-owned security app
India's government revoked its order mandating the pre-installation of the Sanchar Saathi cybersecurity app on all smartphones due to privacy concerns and pushback from tech companies like Apple and Google. The app, intended to help users track lost devices and report fraud, faced criticism for potential misuse as a surveillance tool. The communications minister clarified that the app would be voluntary and could be deleted, while privacy advocates welcomed the decision, urging caution until formal legal confirmation is provided.
2025-12-03 | Recorded Future: India backs off mandatory 'cyber safety' app after surveillance backlash
India has rescinded its mandate requiring smartphone manufacturers to pre-install the Sanchar Saathi app, following backlash over surveillance concerns. The app, aimed at combating fraud and phone theft, has been downloaded by 14 million users. The reversal occurred after criticism from privacy advocates and industry pushback, particularly from Apple regarding security architecture. Digital rights groups view the decision as a positive step but await formal legal confirmation.
2025-12-03 | Cyber Security News: India’s New SIM-Binding Rule for WhatsApp, Signal, Telegram and Other Messaging Platforms
India has mandated a SIM-binding requirement for messaging apps like WhatsApp, Telegram, and Signal, effective November 28, 2023. Apps must ensure users have an active SIM to access services within 90 days. Web versions will log users out every 6 hours for re-authentication. Compliance reports are due in 120 days, with penalties for non-compliance. The government cites rising digital fraud losses as justification, while industry groups express concerns over jurisdiction and operational risks.
4.3 Million Chrome and Edge Users Hacked in 7-Year ShadyPanda Malware Campaign
Date: 2025-12-01 | Source: Cyber Security News
A seven-year malware campaign by ShadyPanda has infected 4.3 million Chrome and Edge users by exploiting trusted browser extensions. The group used legitimate extensions like "Clean Master" to build a user base, then pushed a malicious update in mid-2024, enabling remote code execution (RCE) and extensive data exfiltration. Active Edge extensions, including "WeTab," collect detailed browsing data and transmit it to servers in China. This incident underscores vulnerabilities in browser security models, particularly regarding trust and auto-update mechanisms.
4.3 Million Chrome and Edge Users Hacked in 7-Year ShadyPanda Malware Campaign
2025-12-01 | The Hacker News: ShadyPanda Turns Popular Browser Extensions with 4.3 Million Installs Into Spyware
A threat actor named ShadyPanda has transformed five legitimate browser extensions, with over 4.3 million installs, into spyware by introducing malicious updates in mid-2024. These extensions, including Clean Master, now execute remote code, exfiltrate browsing history, and collect browser fingerprints. They also engage in affiliate fraud and redirect search queries for profit. Users are advised to uninstall these extensions and change their credentials due to the extensive surveillance capabilities and potential credential theft.
2025-12-01 | The Register: Stealthy browser extensions waited years before infecting 4.3M Chrome, Edge users with backdoors and spyware
A seven-year campaign by the group ShadyPanda infected 4.3 million Chrome and Edge users with malware via seemingly legitimate browser extensions. Five extensions, still active in the Edge marketplace, pushed updates containing backdoors and spyware that exfiltrate sensitive user data to servers in China. The malware allows complete browser surveillance and can inject malicious content. Researchers highlighted the lack of ongoing monitoring by marketplaces as a critical vulnerability in extension management.
2025-12-02 | TechRadar: 4.3 million have installed this malicious browser extension on Chrome and Edge - here's how to check
A campaign named ShadyPanda has turned 145 browser extensions for Chrome and Edge malicious after five years of normal use, affecting approximately 4.3 million devices. Initially benign, the extensions began incorporating affiliate fraud in 2023, followed by cookie theft and search hijacking. By 2025, they enabled remote code execution, allowing attackers to steal sensitive information, including browser histories and session data. Google has removed the affected extensions, while Microsoft's response has been slower.
2025-12-02 | Infosecurity Magazine: ShadyPanda's Seven-Year Campaign Infects 4.3M Chrome and Edge Users
A seven-year campaign by ShadyPanda has infected 4.3 million Chrome and Edge users through malicious browser extensions. A Koi Security report revealed a remote code execution backdoor affecting 300,000 users via five extensions, including Clean Master, which began malicious updates in mid-2024. The malware logged website visits and exfiltrated browsing histories. Users are advised to audit extensions regularly and prefer developers with transparent update histories to mitigate risks.
2025-12-02 | CSO Online: Newly discovered malicious extensions could be lurking in enterprise browsers
A surveillance campaign has been identified, targeting Google Chrome and Microsoft Edge users through malicious browser extensions. The group "ShadyPanda" has infected 4.3 million instances, harvesting browsing data, hijacking search results, and deploying a backdoor for remote code execution. This poses a significant risk to enterprises, especially if affected browsers are used on work PCs or personal devices accessing work resources.
2025-12-02 | Malwarebytes Labs: “Sleeper” browser extensions woke up as spyware on 4 million devices
Researchers uncovered a malware campaign involving five browser extensions that turned into spyware after seven years of normal operation, affecting approximately 4.3 million Chrome and Edge users. The ShadyPanda group, active since 2018, weaponized these extensions by pushing silent updates, enabling remote code execution and data collection. Notably, the WeTab extension, with around three million installs, streams user data in real time. Google has removed the extensions, but they remain available on Edge.
2025-12-02 | Tomsguide: Over 4 million users hit with spyware that can turn your browser extensions into malware — how to stay safe
A long-running malware operation, ShadyPanda, has compromised 20 Chrome and 125 Edge browser extensions, affecting 4.3 million users. Initially benign, these extensions evolved to inject tracking codes, hijack searches, and collect personal data, including browsing history and keystrokes. They facilitated credential theft and session hijacking. Google has removed the extensions, but some remain active on Edge. Users are advised to remove these extensions, reset passwords, and use antivirus software for protection.
2025-12-03 | Hack Read: 7 Year Long ShadyPanda Attack Spied on 4.3M Chrome and Edge Users
Cybersecurity researchers at Koi Security revealed a seven-year espionage operation by ShadyPanda, infecting over 4.3 million Chrome and Edge users. The group used seemingly legitimate extensions, later converting them into spyware. Two major threats emerged: a Remote Code Execution (RCE) backdoor affecting 300,000 users and a spyware campaign targeting 4 million users via extensions like WeTab. The incident highlights vulnerabilities in extension monitoring and the need for a zero-trust security approach.
2025-12-03 | CSO Online: Neue bösartige Browser-Erweiterungen entdeckt
Forscher von Koi haben die Cyberbande „ShadyPanda“ identifiziert, die vertrauenswürdige Chrome- und Edge-Erweiterungen missbraucht, um Browsing-Daten zu sammeln, Suchergebnisse zu manipulieren und eine Backdoor zu installieren. Insgesamt wurden 4,3 Millionen Browser-Instanzen infiziert. Sicherheitsforscher warnen, dass infizierte Entwickler-Workstations zu kompromittierten Repositorys und gestohlenen API-Schlüsseln führen können, was das Risiko für Unternehmen erheblich erhöht.
2025-12-03 | DIGIT: Millions of Chrome and Edge Users Caught in 7-Year Malware Plot
A seven-year malware campaign by the group ‘ShadyPanda’ has potentially infected over four million Chrome and Edge users through compromised browser extensions. Koi's investigation revealed two operations: one involved five extensions, including Clean Master, leading to Remote Code Execution (RCE) and extensive user data harvesting. The second campaign targeted another five extensions, capturing detailed user activity. Despite recent removals from marketplaces, some malicious extensions remain available, posing risks to enterprises.
Korea’s Coupang says data breach exposed nearly 34M customers’ personal information
Date: 2025-12-01 | Source: TechCrunch
Coupang, a South Korean e-commerce platform, reported a data breach affecting nearly 34 million customers, with unauthorized access beginning on June 24, 2025. The breach exposed names, email addresses, phone numbers, shipping addresses, and order histories, but not payment information or login credentials. Coupang has notified the Korea Internet Security Agency and other authorities. Police have identified a suspect, a former employee, and the company has enhanced security measures following the incident.
Korea’s Coupang says data breach exposed nearly 34M customers’ personal information
2025-12-01 | Recorded Future: Data breach hits 'South Korea's Amazon,' potentially affecting 65% of country’s population
A data breach at South Korea's largest online retailer, Coupang, has compromised the personal details of 33.7 million customer accounts, affecting approximately 65% of the country's population. The breach involved names, email addresses, phone numbers, and order histories, but not payment information. An investigation is underway, with suspicions pointing to a former employee. The South Korean government is reviewing its data protection laws following multiple recent breaches, highlighting systemic weaknesses.
2025-12-01 | The Register: South Korea's answer to Amazon admits breach exposed 33.7M customers
Coupang, South Korea's largest retail platform, reported a data breach exposing personal details of 33.7 million customers, including names, email addresses, phone numbers, and shipping addresses. The breach, detected on November 18, originated from unauthorized access starting June 24 via overseas servers. Coupang has notified authorities and strengthened security measures. Local media suggest a former employee may have leaked the data. Customers are advised to be cautious of impersonation attempts.
2025-12-01 | Infosecurity Magazine: South Korea's Coupang Confirms 34 Million Customer Data Leak
Coupang, a South Korean e-commerce platform, confirmed a data breach affecting 33.7 million customers, revealing names, emails, and phone numbers. The breach, detected in June 2025, did not compromise payment information or login credentials. The Seoul Metropolitan Police identified a suspect, a former employee, and are investigating potential threats related to the breach. Coupang has enhanced internal monitoring and blocked the access route. The police are analyzing server logs and tracking the suspect's IP address.
2025-12-01 | TechRadar: South Korean ecommerce giant Coupang suffers huge data breach - over 33 million accounts affected, here's what we know
Coupang, South Korea's largest ecommerce platform, experienced a significant data breach affecting over 33 million accounts. The breach, linked to an ex-employee's active account, exposed names, emails, phone numbers, addresses, and order details, but not passwords or payment information. The attack began on June 24, 2025, and was only recently detected. CEO Park Dae-joon issued an apology, and over 10,000 customers are pursuing a class-action lawsuit for compensation.
2025-12-01 | Cyber Security News: Coupang Data Breach Exposed Personal Data of 33.7 Million Customers Personal Records
Coupang has confirmed a data breach affecting 33.7 million customers, exposing names, phone numbers, email addresses, shipping addresses, and order histories. The breach was caused by a former employee exploiting unrevoked internal access credentials. Sensitive financial data was not compromised. The unauthorized access began on June 24, 2025, and was detected on November 18. Coupang faces potential fines up to 1 trillion won ($680 million) under the Personal Information Protection Act. Investigations are ongoing.
2025-12-01 | Hack Read: Coupang Data Breach Affects All 33.7 Million South Korean Accounts
Coupang, South Korea's largest e-commerce platform, has reported a significant data breach affecting 33.7 million accounts, including names, phone numbers, emails, and addresses. The breach, detected on November 18, is believed to have begun in late June and involved unauthorized access to a server outside the country. While sensitive data like payment information remains secure, users are warned about potential phishing attempts. Investigations are ongoing, and Coupang is cooperating with authorities.
2025-12-02 | Security Magazine: 34M Impacted by Coupang Breach, Security Leaders Respond
Coupang, a major South Korean e-commerce platform, suffered a data breach affecting approximately 33.7 million accounts, discovered on Nov. 18. Compromised data includes names, email addresses, phone numbers, and shipping addresses, but payment data and login credentials remain secure. Experts emphasize the need for strong database encryption, monitoring for suspicious activity, and adopting an 'assume you are breached' mindset to mitigate risks and enhance recovery capabilities.
2025-12-02 | Security Affairs: ‘Korea’s Amazon’ Coupang discloses a data breach impacting 34M customers
Coupang disclosed a data breach affecting nearly 34 million customers, exposing personal information over five months, starting June 24, 2025. Unauthorized access was detected on November 18, impacting 33.7 million accounts. Exposed data included names, emails, phone numbers, and shipping addresses, but no payment information was compromised. Coupang notified relevant authorities and intensified monitoring to prevent further damage. A suspect, a former employee, has been identified.
2025-12-02 | Risky.Biz: Risky Bulletin: India orders IM apps to link user accounts to a SIM card
Coupang, South Korea's largest retailer, suffered a breach affecting 33.7 million customers, with hackers threatening to disclose the incident unless cybersecurity practices improve. OpenAI reported customer data exposure due to a breach at Mixpanel. A ransomware attack impacted three West London councils. The French Football Federation confirmed unauthorized access to a software panel. Additionally, British ISP Brsk reported the theft of personal details from over 230,000 customers.
Europol Takes Down Illegal Cryptocurrency Mixing Service
Date: 2025-12-01 | Source: Infosecurity Magazine
Europol, in collaboration with Swiss and German law enforcement, dismantled the illegal cryptocurrency mixing service 'Cryptomixer' from November 24 to 28 in Zurich, Switzerland. The operation seized €25 million ($30 million) in Bitcoin, three servers, and the cryptomixer.io domain. Over 12 terabytes of data were confiscated. Following the shutdown, a seizure banner was placed on the website to inform users of the illegal service's closure.
Europol Takes Down Illegal Cryptocurrency Mixing Service
2025-12-01 | CSO Online: Ermittler zerschlagen Plattform für Online-Geldwäsche
Im Rahmen der Operation Olympia wurde die Plattform "cryptomixer.io", ein Bitcoin-Mixer, von Ermittlern aus Deutschland und der Schweiz abgeschaltet. Die Serverinfrastruktur wurde beschlagnahmt, und Kryptowährungen im Wert von etwa 25 Millionen Euro wurden sichergestellt. Die Ermittlungen, an denen die Generalstaatsanwaltschaft Frankfurt, die Kantonsstaatanwaltschaft Zürich, das Bundeskriminalamt und Europol beteiligt waren, zeigen, dass ein Großteil der getauschten Vermögenswerte kriminellen Ursprungs war.
2025-12-01 | Help Net Security: Cryptomixer crypto laundering service taken down by law enforcement
German and Swiss law enforcement agencies dismantled Cryptomixer, a cryptocurrency laundering service, seizing over 25 million euros in Bitcoin during Operation Olympia in late November 2025. The operation, supported by Europol and Eurojust, involved confiscating three servers and the cryptomixer.io domain, yielding over 12 terabytes of data. Cryptomixer, operational since 2016, facilitated the laundering of over 1.3 billion euros in Bitcoin for various criminal activities, including ransomware and drug trafficking.
2025-12-01 | Cybersecurity Dive: European police dismantle cryptocurrency mixer popular with ransomware gangs
European authorities dismantled the illegal cryptocurrency mixer Cryptomixer, which laundered over $1.5 billion for ransomware gangs since 2016. Swiss and German law enforcement seized its servers and domain from Nov. 24-28, confiscating over 12 terabytes of data and €25 million in laundered Bitcoin. This operation, part of ongoing efforts against mixing services, follows previous actions against ChipMixer. Notably, North Korean hackers utilized Cryptomixer for laundering stolen funds.
2025-12-01 | Hack Read: Police Seize Cryptomixer Domains, Infrastructure and 28M Dollars in Bitcoin
Swiss and German authorities seized the Cryptomixer cryptocurrency mixing service in Zurich, recovering over €24 million ($28 million) in Bitcoin and more than 14 terabytes of data. The operation, part of Operation Olympia and coordinated by Europol, targeted the service's use by ransomware groups and dark web markets. Cryptomixer, operational since 2016, processed over €1.3 billion in Bitcoin, facilitating cybercrime by obscuring transaction trails. Investigations continue into the seized data.
2025-12-01 | Recorded Future: Cryptomixer platform raided by European police; $29 million in bitcoin seized
Law enforcement in Switzerland and Germany has dismantled Cryptomixer, a major cryptocurrency mixing service suspected of laundering illicit funds. Europol reported that the platform, operational since 2016, handled over €1.3 billion ($1.5 billion), primarily linked to criminal activities. Authorities seized three servers, over $29 million in bitcoin, and 12 terabytes of data. Cryptomixer provided anonymity for ransomware gangs and fraudsters, obscuring money movement on the blockchain. This action follows previous takedowns of similar services.
2025-12-01 | Cyberscoop: Authorities take down Cryptomixer, seize $28M in Switzerland
European authorities shut down Cryptomixer, a cryptocurrency mixing service linked to over $1.5 billion in money laundering. The operation, part of “Operation Olympia,” seized nearly $28 million in Bitcoin, three servers, the cryptomixer.io domain, and over 12 terabytes of data. Cryptomixer, operational since 2016, was favored by cybercriminals for laundering activities, including ransomware and fraud. The takedown reflects ongoing global efforts to disrupt services used by cybercriminals.
2025-12-01 | TechCrunch: European cops shut down crypto mixing website that helped launder 1.3B euros
Europol announced the shutdown of the cryptocurrency laundering service Cryptomixer, which facilitated the laundering of 1.3 billion euros ($1.5 billion) since 2016. Authorities seized $25 million euros ($29 million) in bitcoin, three servers, and 12 terabytes of data. Cryptomixer was used by cybercriminals for various illegal activities, including ransomware attacks. Its software obscured the traceability of funds on public blockchains, making it difficult to trace the origin of cryptocurrencies.
2025-12-02 | Security Affairs: Law enforcement shuts down Cryptomixer in major crypto crime takedown
Law enforcement, including Europol, shut down Cryptomixer, a crypto-mixing service used for laundering cybercrime proceeds, seizing $29M in Bitcoin. The operation, part of "Operation Olympia," occurred from November 24-28, 2025, led by German and Swiss authorities. Cryptomixer mixed over EUR 1.3 billion in Bitcoin since 2016, facilitating anonymity for cybercriminals. Investigators linked it to various ransomware groups and illegal activities, laundering approximately 152,000 BTC.
2025-12-02 | The Register: Europol nukes Cryptomixer laundering hub, seizing €25M in Bitcoin
Europol, along with German and Swiss authorities, dismantled the cryptocurrency laundering platform Cryptomixer during Operation Olympia from November 24-28, seizing three servers, the domain cryptomixer.io, 12 terabytes of data, and over €25 million in Bitcoin. Since its inception in 2016, Cryptomixer laundered over €1.3 billion. The operation highlights ongoing efforts to disrupt cybercrime infrastructure, including targeting bulletproof hosting providers used by criminals.
2025-12-02 | TechRadar: Huge cryptomixer takedown sees feds seize over $30milion
Europol and law enforcement from Germany and Switzerland have shut down Cryptomixer.io, a significant cryptocurrency mixing service, seizing three servers, the domain, 12TB of data, and approximately $29 million in crypto assets. Operating since 2016, Cryptomixer.io was linked to criminal activities, facilitating the mixing of cryptocurrencies to obscure transaction histories. This operation follows previous takedowns of similar services, highlighting ongoing efforts to combat cybercrime.
New Albiriox Malware Attacking Android Users to Take Complete Control of their Device
Date: 2025-11-29 | Source: Cyber Security News
A new Android malware named "Albiriox" has emerged, offering advanced remote access as a Malware-as-a-Service (MaaS). Identified by Cleafy, it allows attackers to control infected devices for On-Device Fraud (ODF). First appearing in September 2025, it uses a two-stage infection process involving social engineering and a dropper app. Albiriox targets over 400 financial applications and employs techniques like VNC streaming and "Golden Crypt" obfuscation to evade detection.
New Albiriox Malware Attacking Android Users to Take Complete Control of their Device
2025-12-01 | The Hacker News: New Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud and Screen Control
A new Android malware, Albiriox, has emerged as a malware-as-a-service (MaaS) targeting over 400 applications, including banking and cryptocurrency platforms. It employs social engineering tactics to distribute dropper apps that install the malware, allowing remote control via VNC and bypassing Android security features. Albiriox can conduct on-device fraud, steal credentials, and manipulate screens. The malware's developers are believed to be Russian-speaking, and it has already targeted Austrian victims through deceptive SMS campaigns.
2025-12-01 | Security Affairs: Emerging Android threat ‘Albiriox’ enables full On‑Device Fraud
Albiriox is a new Android MaaS malware identified in September 2025, targeting over 400 banking, fintech, and payment apps. It enables on-device fraud through real-time control and screen manipulation. The malware employs a VNC-based remote access module and uses deceptive tactics, such as fake app downloads and overlays for credential theft. It communicates via unencrypted TCP sockets and features extensive device control capabilities. Albiriox is marketed as a stealthy, fully undetectable tool for cybercriminals, with a subscription model starting at $650 per month.
2025-12-01 | TechRadar: Android malware Albiriox abuses 400+ financial apps in on-device fraud and screen manipulation attacks
A new Android malware named Albiriox targets Austrian users' banking and crypto apps, utilizing over 400 overlays to steal sensitive data. Advertised on the dark web, it employs fake apps and dropper APKs to gain remote control of devices. Victims are lured into sharing phone numbers to receive malicious APK links. The malware exfiltrates data, including passwords, to a Telegram channel. Researchers attribute the campaign to Russian actors based on their cybercrime forum activity and infrastructure.
2025-12-01 | Malwarebytes Labs: New Android malware lets criminals control your phone and drain your bank account
Albiriox is a new Android banking malware family that allows attackers to gain live remote control over infected devices, enabling them to drain bank and crypto accounts. First observed in September 2025, it is sold as Malware-as-a-Service (MaaS) and targets over 400 financial applications globally. Albiriox employs advanced techniques like screen streaming, on-device fraud, and accessibility abuse to bypass security measures. Users are advised to install apps only from official sources and use trusted anti-malware solutions.
2025-12-01 | Infosecurity Magazine: New Android Albiriox Malware Gains Traction in Dark Web Markets
A new Android malware, Albiriox, has emerged on Russian-speaking cybercrime forums as a Malware-as-a-Service (MaaS), enabling full device takeover and real-time fraud. It targets over 400 banking and cryptocurrency apps globally. Initially deployed in a limited campaign against Austrian users, it uses SMS phishing to distribute a malicious app. Albiriox features include remote control, credential harvesting, and evasion tactics. Analysts warn it poses a growing risk to financial institutions as it matures.
French Football Federation Suffers Data Breach
Date: 2025-11-28 | Source: Infosecurity Magazine
The French Football Federation (FFF) reported a data breach on November 26, revealing unauthorized access to its software platform, affecting millions of amateur players. Exposed data includes names, genders, birth dates, nationalities, addresses, emails, phone numbers, and football license IDs. The breach likely occurred on November 20. The FFF has secured the platform, filed a complaint, and notified relevant authorities. They advise license holders to remain vigilant against phishing scams following the incident.
French Football Federation Suffers Data Breach
2025-11-28 | Cyber Security News: French Football Federation Reports Data Breach – Hackers Access Club Software Admin Controls
The French Football Federation (FFF) reported a data breach where hackers accessed personal data of members via compromised admin controls. The breach involved sensitive PII, including names, birth dates, addresses, and contact details, increasing identity theft risk. The FFF disabled the compromised account and enforced a password reset. They notified regulatory authorities and are communicating with affected individuals. The FFF advised vigilance against phishing attempts using stolen PII and is enhancing security measures against cyberattacks.
2025-11-28 | Security Affairs: Attackers stole member data from French Soccer Federation
On November 28, 2025, the French Soccer Federation (FFF) reported a data breach involving a compromised account that allowed attackers to steal member data. The breach exposed limited information, including names, contact details, and license numbers. The FFF took immediate action by disabling the compromised account and resetting all user passwords. They filed a complaint with authorities and will notify affected individuals. Members are advised to be cautious of suspicious communications.
2025-12-01 | TechRadar: Millions of footballers see info leaked after French Football Federation suffers data breach
The French Football Federation (FFF) experienced a data breach due to a compromised account, exposing members' personal data, including names, birth dates, and contact information, but not passwords or banking details. This incident raises phishing risks, prompting the FFF to warn members about suspicious communications. The compromised account has been terminated, and authorities have been notified. The FFF has faced multiple cyberattacks in recent years, including significant breaches in 2024 and 2025.
2025-12-01 | The Register: French Football Federation faces own-goal after club software data breach
The French Football Federation (FFF) experienced a data breach after attackers accessed its member management software via a compromised account. The breach exposed player data, including names, birth details, and contact information, but no banking data was involved. The FFF has filed a criminal complaint, informed cybersecurity authorities, and reset all user passwords. It will notify affected individuals and advised caution against phishing attempts related to the incident.
London Councils’ IT Systems Impacted by CyberAttack, Including Phone Lines
Date: 2025-11-28 | Source: Cyber Security News
On November 25, three West London councils—RBKC, WCC, and Hammersmith and Fulham—experienced significant IT and phone service disruptions due to a cyberattack on a shared services provider. The councils are investigating the incident, which experts suspect may involve ransomware. Critical services are prioritized, and manual workarounds are in place. Residents are advised to check official channels for updates and expect delays. The full impact and potential data compromise remain under investigation.
London Councils’ IT Systems Impacted by CyberAttack, Including Phone Lines
2025-11-28 | TechRadar: Multiple London councils affected by apparent cyberattack
Three London councils—Kensington and Chelsea, Westminster, and Hammersmith and Fulham—were impacted by a cyberattack that disrupted core services, including phone lines and online reporting. Experts suspect a ransomware attack linked to shared IT services. The councils are collaborating with the National Crime Agency and the National Cyber Security Centre, but details remain scarce. The incident has prompted activation of emergency plans, and investigations are ongoing to determine if data was compromised.
2025-12-01 | Infosecurity Magazine: Royal Borough of Kensington and Chelsea Reveals Data Breach
The Royal Borough of Kensington and Chelsea (RBKC) reported a data breach following a cyber-attack on an IT service provider, discovered on November 28. Evidence indicates that some historical data was copied and may be publicly exposed. Residents are advised to be vigilant against potential phishing attacks using stolen data. Disruptions to services are expected to last at least two weeks. The breach may also affect Westminster City Council and Hammersmith and Fulham, which share IT services with RBKC.
2025-12-02 | The Register: Kensington and Chelsea confirms IT outage was a data breach after all
Kensington and Chelsea Council confirmed that a recent IT outage was a data breach, with evidence showing data was copied from its systems. The nature and extent of the stolen data remain unclear, but the council is investigating potential impacts on personal and financial information. Residents are advised to remain vigilant against phishing attempts. The incident is under investigation by the National Cyber Security Centre and the Metropolitan Police, with ongoing disruptions expected for at least two weeks.
Asahi confirms cyberattack leaked data on 1.5 million customers
Date: 2025-11-27 | Source: TechRadar
Asahi confirmed a ransomware attack that exposed personal data of over 1.5 million customers, including names, gender, addresses, phone numbers, and emails. The intrusion was detected on September 29, with attackers accessing servers through equipment at Asahi's site. Ransomware group Qilin claimed responsibility and listed Asahi on their dark web leak site. An additional 300,000 individuals, including employees and their families, may also have had data exposed. No evidence of data misuse has been reported.
Asahi confirms cyberattack leaked data on 1.5 million customers
2025-11-27 | The Register: Asahi admits ransomware gang may have spilled almost 2M people's data
Asahi has acknowledged that a ransomware attack in September may have compromised personal data of nearly 2 million individuals. The Qilin ransomware group claimed responsibility, stealing approximately 27 GB of sensitive files. Affected data includes names, addresses, and contact details, but not credit card information. The breach, originating from compromised network equipment, disrupted operations and delayed the company's earnings report by over 50 days. Asahi is cautiously restoring systems and notifying affected individuals.
2025-11-27 | Infosecurity Magazine: Asahi Confirms 1.5 Million Customers Affected in Major Cyber-Attack
Asahi confirmed that a cyber-attack in September 2025 potentially exposed personal data of approximately 1.914 million individuals, including 1.525 million customers. Data exposed includes names, genders, dates of birth, postal addresses, email addresses, and phone numbers, but not credit card information. The Qilin ransomware group claimed responsibility, and Asahi faced operational disruptions, including a postponed product launch. The financial impact for fiscal year 2025 is under review.
2025-11-27 | Security Affairs: Asahi says crooks stole data of approximately 2M customers and employees
Asahi Group Holdings reported a ransomware attack in September 2025, resulting in the theft of data from approximately 2 million customers and employees. The Qilin ransomware group claimed responsibility, leaking 27GB of data, including personal information such as names, addresses, and contact details. Affected parties include 1.5 million customer service contacts, 107,000 employees, and 168,000 family members. No financial information was compromised. The company is investigating the breach and enhancing security measures.
2025-11-28 | Recorded Future: Japanese beer giant Asahi says ransomware attack may have exposed data of 1.5 million people
Japanese brewer Asahi reported that a ransomware attack may have exposed personal data of approximately 1.5 million individuals, including customers and employees. The breach, which occurred in late September, compromised names, gender, addresses, and phone numbers, but not credit card information. The attack disrupted production and logistics, leading to product shortages. Asahi is restoring operations and implementing new security measures. The Qilin ransomware gang claimed responsibility, but Asahi has not paid a ransom.
OpenAI Discloses Mixpanel Data Breach – Name, Email Address and Operating System Details Exposed
Date: 2025-11-27 | Source: Cyber Security News
On November 9, 2025, Mixpanel detected unauthorized access to its systems, exposing identifiable information of some OpenAI API users, including names, email addresses, and operating system details. OpenAI confirmed that no sensitive data from its systems was compromised. Following the breach, OpenAI removed Mixpanel from its environment and is notifying affected users. They advise vigilance against phishing attempts and recommend enabling multi-factor authentication for added security.
OpenAI Discloses Mixpanel Data Breach – Name, Email Address and Operating System Details Exposed
2025-11-27 | Times Now: ChatGPT Hacked, Email Addresses And Names Of Users Exposed: Here's What You Should Do Right Now
OpenAI has confirmed a breach involving ChatGPT, resulting in the exposure of user email addresses and names. In response, OpenAI has removed Mixpanel from its production services and is notifying affected companies, admins, and users. Importantly, the breach did not compromise sensitive information such as API keys, passwords, government IDs, or payment details.
2025-11-27 | Infosecurity Magazine: OpenAI Warns of Mixpanel Data Breach Impacting API Users
OpenAI reported a data breach involving Mixpanel, affecting its API users. An attacker accessed Mixpanel's systems on November 9, with data shared with OpenAI on November 25. Exposed information includes API account names, email addresses, approximate locations, operating systems, and organization IDs. OpenAI confirmed no breach of its systems occurred, and no sensitive data was compromised. Users are advised to be vigilant against phishing attempts and to follow recommended security practices.
2025-11-27 | Hack Read: OpenAI API User Data Exposed in Mixpanel Breach, ChatGPT Unaffected
OpenAI confirmed a data breach involving Mixpanel, exposing limited API user metadata such as names, emails, and browser info. OpenAI's systems were not breached, and no sensitive data like passwords or payment info was compromised. The company removed Mixpanel from its systems and notified affected users, advising them to enable multi-factor authentication. Mixpanel detected suspicious access and has resolved the vulnerability. Regular ChatGPT users were not affected, but caution is advised against phishing attempts.
2025-11-27 | CSO Online: OpenAI-Dienstleister gehackt
Cybercriminals gained access to the systems of Mixpanel, a data analytics provider for OpenAI, in early November. Data potentially compromised includes API account names, associated email addresses, approximate location based on the user's browser, operating system and browser used for API access, referring websites, and organization or user IDs linked to the API account. OpenAI warns that the stolen data could be used in phishing or social engineering attacks.
2025-11-27 | CSO Online: OpenAI admits data breach after analytics partner hit by phishing attack
On November 8, OpenAI experienced a data breach due to a phishing attack on its analytics partner, Mixpanel. Hackers executed a smishing campaign, which allowed them to access Mixpanel's systems and steal customer profile information related to OpenAI's API portal. Mixpanel's CEO, Jen Taylor, confirmed the incident and noted that the company promptly initiated its incident response processes following the detection of the attack.
2025-11-27 | Security Affairs: OpenAI data may have been exposed after a cyberattack on analytics firm Mixpanel
OpenAI has alerted users that a cyberattack on analytics firm Mixpanel may have exposed their data, specifically user profile details from platform.openai.com, including names, emails, and organization IDs. The breach, linked to a smishing attack detected on November 8, 2025, did not compromise OpenAI's systems. Mixpanel has since secured affected accounts, revoked sessions, and engaged cybersecurity partners for remediation. They are implementing new controls to prevent future incidents.
2025-11-27 | The Register: OpenAI cuts off Mixpanel after analytics leak exposes API users
OpenAI has terminated its relationship with Mixpanel following a data breach that exposed API users' profile information, including names, email addresses, and organization IDs. The breach was detected on November 9 and reported to OpenAI on November 25. OpenAI is conducting security reviews of its vendors and notifying affected users directly. Users are advised to be cautious of potential phishing attempts but do not need to reset passwords. The extent of affected users remains undisclosed.
2025-11-28 | DIGIT: OpenAI Dumps API Analytics Provider Following Data Breach
OpenAI terminated its use of Mixpanel following a data breach on November 9, 2023, that exposed user information from its API, including personal emails and analytics data. The breach involved unauthorized access to Mixpanel's systems, with affected data potentially including names, email addresses, and location information. OpenAI confirmed no breach of its own systems occurred and is notifying impacted users while monitoring for misuse. Users are advised to be cautious of potential phishing attacks related to the incident.
Scattered Lapsus$ Hunters Take Aim At Zendesk Users
Date: 2025-11-27 | Source: Infosecurity Magazine
The Scattered Lapsus$ Hunters group is targeting Zendesk users with over 40 typosquatted domains created in the past six months, hosting phishing pages designed to harvest credentials. The group is also submitting fraudulent helpdesk tickets to infect support personnel with malware. Discord may be the first victim, having experienced a breach via a third-party provider, compromising user data. Organizations are urged to enhance security measures against these tactics.
Scattered Lapsus$ Hunters Take Aim At Zendesk Users
2025-11-27 | The Register: Zendesk users targeted as Scattered Lapsus$ Hunters spin up fake support sites
Scattered Lapsus$ Hunters are targeting Zendesk users with a new extortion campaign, utilizing over 40 typosquatted domains to impersonate Zendesk. These domains host fake SSO pages to harvest credentials and submit fraudulent helpdesk tickets. The attackers may deploy remote-access trojans (RATs) via these tickets, potentially compromising corporate networks. This campaign follows a similar attack on Salesforce and is part of a broader strategy to exploit SaaS platforms, as indicated by the group's recent activities and threats.
2025-11-28 | Cyber Security News: Scattered Lapsus$ Hunters Registered 40+ Domains Mimicking Zendesk Environments
A cyber offensive by the "Scattered Lapsus$ Hunters" targets Zendesk, registering over 40 typosquatted domains to exploit supply-chain vulnerabilities. These domains mimic legitimate login environments, capturing user credentials through fraudulent SSO portals. The attackers use tactics like submitting fake support tickets to bypass defenses, embedding links to malicious payloads. This campaign poses significant risks, including theft of sensitive customer data and persistent remote access via Remote Access Trojans (RATs).
2025-11-28 | CSO Online: Scattered Lapsus$ Hunters target Zendesk users with fake domains
Scattered Lapsus$ Hunters targeted Zendesk users with over 40 fake domains to steal credentials and install malware. These domains, registered in the last six months, mimic the setup used in a previous attack on Salesforce. The campaign aims at Zendesk, which serves over 100,000 organizations. Some domains hosted fake login pages resembling real Zendesk screens, while others included various company names to enhance legitimacy, increasing the likelihood of user trust and engagement.
2025-11-28 | TechRadar: Zendesk users targeted by Scattered Lapsus$ Hunters hackers and fake support sites
Hackers from the Scattered Lapsus$ Hunters group are targeting Zendesk users by registering over 40 typosquatted domains to steal credentials. These domains, linked to a similar campaign against Salesforce, were found to be registered through NiceNic. Attackers are submitting fake tickets to infect support staff with malware, including remote access trojans (RATs). The group denied involvement in a recent Discord incident related to a Zendesk breach, claiming they compromised Okta instead.
2025-12-01 | Cybersecurity Dive: Hackers ready threat campaign aimed at Zendesk environments
Hackers affiliated with Scattered Lapsus$ Hunters are preparing a threat campaign against Zendesk environments, as reported by Reliaquest. Over the past six months, around 40 typoquatting domains mimicking Zendesk have been created, some hosting phishing pages with fake single sign-on portals to steal credentials. Researchers noted fraudulent tickets submitted to legitimate Zendesk portals aimed at infecting help-desk personnel with malware. Zendesk is actively monitoring and responding to these threats.
How to Stay Safe Online This Black Friday, According to a Cyber Expert
Date: 2025-11-27 | Source: Security Magazine
During the holiday season, cybercriminals exploit increased online shopping, with U.S. consumers expected to spend nearly $80 billion this Black Friday. Cyber threats, including social engineering and skimming attacks, are anticipated to rise. Organizations are at risk if employees fall victim to scams. Recommendations include avoiding unsolicited links, ensuring accurate domains, using MFA and VPNs, and enforcing strong passwords. Awareness of fake promotions and gift card offers is crucial to protect personal information.
How to Stay Safe Online This Black Friday, According to a Cyber Expert
2025-11-27 | Times Now: Black Friday 2025: How Scammers Are Tricking Users With Fake Discounts, Tips To Stay Safe
Experts warn shoppers about increased scams during Black Friday 2025, with fake brand sites proliferating through social media ads and messaging apps. These fraudulent sites attract hundreds of visitors, converting 3-8%, potentially earning scammers $2,000 to $12,000 per site before shutdown. Cybersecurity analysts recommend heightened awareness, advising consumers to purchase only from official websites or verified apps, as many deals may be deceptive.
2025-11-28 | TechRadar: Take extra care shopping for Black Friday deals - experts find thousands of fake websites looking to steal your details
Cybersecurity experts CloudSEK have identified over 2,000 fraudulent Black Friday ecommerce sites designed to steal money and personal data. These scams, primarily impersonating Amazon and other major brands, utilize urgency tactics and standardized phishing kits. The campaign could potentially yield over $24 million in stolen funds, with each site capable of generating up to $12,000. The rise of these scams highlights the increasing automation and industrialization of holiday fraud, posing significant risks to consumers.
2025-11-30 | Hack Read: Over 2,000 Fake Shopping Sites Spotted Before Cyber Monday
Over 2,000 fake online shopping sites have been identified, particularly targeting shoppers during Black Friday and Cyber Monday. Cybersecurity firm CloudSEK discovered these sites, which impersonate major brands like Amazon, Apple, and Samsung. Scammers use phishing kits to create urgency with fake countdowns and trust badges, redirecting payments through fraudulent portals. Researchers warn that these scams could lead to significant financial losses for consumers and erode trust in e-commerce. Shoppers are advised to be cautious of deals that seem too good to be true.
2025-12-01 | Cyber Security News: Hackers Registered 2,000+ Fake Holiday-Themed Online Stores to Steal User Payments
Hackers have registered over 2,000 fake holiday-themed online stores to steal payment information from consumers. These sites, mimicking legitimate brands like Amazon and Apple, use social engineering tactics, including fake trust badges and urgency prompts, to deceive shoppers. The operation is well-coordinated, utilizing identical phishing kits and shared infrastructure. The impact includes financial losses and increased risks of identity theft, undermining trust in the e-commerce ecosystem.
Botnet takes advantage of AWS outage to smack 28 countries
Date: 2025-11-26 | Source: The Register
A Mirai-based botnet named ShadowV2 exploited an AWS outage in October, infecting IoT devices across 28 countries, including the US, UK, and Brazil. It utilized vulnerabilities in devices from multiple vendors (e.g., D-Link, TP-Link) to deliver malware and facilitate DDoS attacks. The botnet's activity was limited to the outage duration, highlighting IoT security weaknesses. Fortinet recommends securing IoT devices and monitoring network traffic. Microsoft later reported a massive DDoS attack on Azure from the Aisuru botnet.
Botnet takes advantage of AWS outage to smack 28 countries
2025-11-27 | Cyber Security News: Hackers Actively Exploiting IoT Vulnerabilities to Deploy New ShadowV2 Malware
During late October 2025, a malware campaign named ShadowV2 emerged, exploiting IoT vulnerabilities to create a botnet for DDoS attacks. It affected organizations across technology, education, and retail sectors in the U.S., Europe, and Asia. Fortinet analysts noted that the malware targets unpatched security flaws in devices from vendors like D-Link and TP-Link. ShadowV2 uses a downloader script to retrieve its payload and supports various DDoS vectors, indicating a significant threat to unsecured connected devices.
2025-11-27 | TechRadar: This devious botnet tried a trial run during the recent AWS outage - so when will it be back?
A new botnet named ShadowV2, based on Mirai, was active for about 15 hours during a recent AWS outage, targeting vulnerabilities in IoT devices from multiple vendors including D-Link and TP-Link. Found in over 20 countries, it appears to be a test run for potential future DDoS attacks. ShadowV2 has evolved to target various industries and is primarily focused on IoT hardware. Its emergence coincided with a significant DDoS attack on Azure by another Mirai descendant, Aisuru.
2025-11-28 | Security Affairs: New Mirai variant ShadowV2 tests IoT exploits amid AWS disruption
A new Mirai variant, ShadowV2, targeted vulnerable IoT devices during the late-October AWS outage, indicating a potential test for future attacks. It exploited vulnerabilities in devices from DDWRT, D-Link, DigiEver, TBK, and TP-Link. Victims spanned multiple countries and industries, including technology and government. ShadowV2 employs various DDoS attack methods and connects to a specific C2 server. The report emphasizes the need for timely firmware updates and robust security practices to protect IoT environments.
Microsoft Teams Flaw in Guest Chat Exposes Users to Malware Attacks
Date: 2025-11-26 | Source: Hack Read
A security flaw in Microsoft Teams' B2B Guest Access allows attackers to bypass Microsoft Defender protections when employees join external chats. Research by Ontinue reveals that once users accept a guest invite, their home security features are disabled, creating a "protection-free zone." Attackers can exploit this with minimal resources, using low-cost Microsoft 365 accounts. Experts recommend organizations limit guest invitations to trusted domains and monitor access to sensitive systems to mitigate risks.
Microsoft Teams Flaw in Guest Chat Exposes Users to Malware Attacks
2025-11-27 | Cyber Security News: Microsoft Teams Guest Chat Vulnerability Exposes Users to Malware Attack
A vulnerability in Microsoft Teams' B2B guest access allows attackers to bypass Defender for Office 365 protections, exposing users to phishing and malware. Enabled by default, new chat features permit external email invites, creating unprotected zones for malicious activities. Attackers can exploit this by creating basic tenants lacking security features. Recommendations include restricting guest invites to allowlisted domains, deploying cross-tenant access policies, and training users to reject unsolicited invites.
2025-11-27 | CSO Online: Microsoft Teams’ guest chat feature exposes cross-tenant blind spot
A flaw in Microsoft Teams' guest chat feature exposes users to security risks once they accept a guest invitation. Their Defender for Office 365 protections are disabled, leaving them vulnerable in an external tenant. This issue arises from feature “MC1182004,” allowing chats with any email address, creating an attack vector for threat actors. Experts warn that organizations may mistakenly believe their security controls follow users, while attackers can exploit this gap by inviting users to insecure tenants.
2025-11-28 | The Hacker News: MS Teams Guest Access Can Remove Defender Protection When Users Join External Tenants
Cybersecurity researchers have identified a vulnerability in Microsoft Teams' guest access feature that allows attackers to bypass Microsoft Defender for Office 365 protections. When users join external tenants as guests, their security is governed by the host's policies, potentially exposing them to unprotected environments. Attackers can exploit this by creating malicious tenants, sending invitations that appear legitimate, and conducting phishing attacks without triggering security measures in the victim's organization.
2025-11-28 | TechRadar: Microsoft Teams guest access could let hackers bypass some critical security protections
A vulnerability in Microsoft Teams' guest access feature allows malicious actors to bypass security protections, enabling malware distribution and phishing without triggering alarms. Guests rely on the host's security protocols, which can be exploited if the host is malicious. Businesses are advised to restrict external invites, disable chats, and train staff on phishing risks. Microsoft has not yet responded to inquiries regarding this issue.
Emergency alerts go dark after cyberattack on OnSolve CodeRED
Date: 2025-11-26 | Source: Security Affairs
A cyberattack on OnSolve CodeRED disrupted emergency alert services for U.S. state and local agencies, including police and fire departments. The City of University Park, Texas, reported potential user data compromise, including names, addresses, and passwords. Users are advised to change reused passwords. The INC Ransom group claimed responsibility, stating they accessed the system on November 1, 2025, and encrypted files by November 10, 2025. The City is transitioning to a new, secure alert platform.
Emergency alerts go dark after cyberattack on OnSolve CodeRED
2025-11-26 | Recorded Future: Municipal emergency warning service offline after hackers steal user data
Hackers compromised the OnSolve CodeRED platform, used by U.S. municipalities for emergency notifications, stealing user data including names, addresses, emails, phone numbers, and passwords. The incident, confirmed by Crisis24, led to the platform's decommissioning on November 10. Affected municipalities advised residents to change passwords. The INC ransomware gang claimed responsibility. Crisis24 is developing a new version of CodeRED and has conducted a security audit.
2025-11-26 | TechRadar: Emergency alert systems across US disrupted following OnSolve CodeRED cyberattack
OnSolve's CodeRED platform experienced a cyberattack attributed to INC Ransom, leading to the loss of sensitive user data, including names, addresses, and contact information. Crisis24, the parent company, had to rebuild the service from outdated backups, resulting in the permanent loss of recent accounts. The Douglas County Sheriff’s Office and 911 Board terminated their relationship with CodeRED due to privacy concerns. The FBI has been notified of the incident.
2025-11-26 | The Register: CodeRED emergency alert system CodeDEAD after INC ransomware attack
Towns across the US lost access to the CodeRED emergency alert system due to a ransomware attack by the INC group on vendor Crisis24. Affected municipalities are terminating contracts or waiting for a new platform, which Crisis24 claims is secure. Stolen data includes names, addresses, and passwords, prompting residents to change their passwords. The ransom demand was initially $950,000, later reduced to $450,000, with Crisis24 offering $150,000. Data may be sold if no ransom is paid.
2025-11-26 | Infosecurity Magazine: Cyber-Attack Disrupts OnSolve CodeRED Emergency Notification System
A cyber-attack on the OnSolve CodeRED platform disrupted emergency notifications and exposed user data, prompting Crisis24 to shut down its legacy system. The INC Ransom group claimed responsibility, stating they accessed systems on November 1 and encrypted files on November 10. Stolen data includes names, addresses, emails, phone numbers, and passwords. While no financial information was collected, agencies urged residents to change passwords. Crisis24 is rebuilding CodeRED in a new, secure environment.
2025-11-26 | Cyberscoop: Crisis24 shuts down emergency notification system in wake of ransomware attack
Crisis24 has permanently shut down its OnSolve CodeRED emergency notification system following a ransomware attack that compromised user data, including names, addresses, emails, phone numbers, and passwords. The attack, attributed to the INC ransomware group, affected numerous agencies for about two weeks. Crisis24 is transitioning customers to a new CodeRED platform, which remains secure. A full security audit and investigation are underway, with law enforcement notified.
2025-11-27 | Malwarebytes Labs: Millions at risk after nationwide CodeRED alert system outage and data breach
A ransomware attack by the INC Ransom group targeted the OnSolve CodeRED emergency notification system, affecting municipalities across the US. The breach may have compromised user data, including email addresses and clear-text passwords. Cities like Cambridge and University Park advised residents to change passwords. Crisis24, the provider, shut down its legacy system and is rebuilding it. Users are urged to enable two-factor authentication and be cautious of phishing attempts following the breach.
London Councils Hit By Serious Cyber “Incidents”
Date: 2025-11-26 | Source: Infosecurity Magazine
Multiple local authorities in London, including the Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council (WCC), are responding to a serious cybersecurity incident identified on Monday. They have notified the UK Information Commissioner’s Office and are collaborating with the National Cyber Security Centre. Systems, including phone lines, are impacted. RBKC's IT team has implemented mitigations, while Hackney Council raised cybersecurity threat levels to "critical" amid the incident.
London Councils Hit By Serious Cyber “Incidents”
2025-11-26 | The Register: London councils probe cyber incident as shared IT systems knocked offline
Two London councils, the Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council (WCC), are investigating a cybersecurity incident that began on November 24, affecting their shared IT systems. The National Cyber Security Centre (NCSC) is assisting with remediation efforts. RBKC's website is experiencing availability issues, and services, including phone lines, are disrupted. Experts suggest the incident may indicate a serious intrusion or a potential ransomware attack on a shared service provider.
2025-11-26 | Recorded Future: Cyber ‘issue’ hits three London councils with shared IT services
Three London councils, primarily the Royal Borough of Kensington and Chelsea and Westminster City Council, reported a cybersecurity issue affecting shared IT services. The incident was identified on Monday, prompting collaboration with specialists and the National Cyber Security Centre. Systems impacted include phone lines, and business continuity plans have been activated. Investigations are ongoing to determine if data was compromised, with the Information Commissioner’s Office notified. Hackney Council confirmed it was not affected.
2025-11-26 | The Guardian: London councils enact emergency plans after three hit by cyber-attack
Two London councils, the Royal Borough of Kensington and Chelsea and Westminster City Council, were hit by a cyber-attack, prompting the activation of emergency plans. Several systems, including phone lines, were affected, leading to limited services for 360,000 residents. The councils are collaborating with cyber incident experts and the National Cyber Security Centre to assess data compromise and restore services. They have notified the Information Commissioner’s Office and are focused on maintaining critical services.
2025-11-26 | Security Affairs: Multiple London councils faced a cyberattack
Multiple London councils, including Kensington & Chelsea and Westminster, experienced a cyberattack potentially exposing resident data. Authorities are investigating, with assistance from the National Cyber Security Centre. The attack compromised shared IT systems, leading to a rapid shutdown of services. Sensitive citizen data, including social care and financial records, may have been accessed, raising concerns about identity theft and fraud. The councils have notified the UK Information Commissioner’s Office and are implementing security measures.
2025-11-26 | TechCrunch: Multiple London councils report disruption amid ongoing cyberattack
At least three London councils, including Kensington and Chelsea, Westminster, and Hammersmith & Fulham, are dealing with a cyberattack that has led to network and phone line shutdowns. Officials are focused on protecting systems, restoring operations, and maintaining essential public services. The nature of the attack and any potential data theft are under investigation, with Kensington stating the cause is known but details are withheld due to ongoing law enforcement inquiries.
Corporate predators get more than they bargain for when their prey runs SonicWall firewalls
Date: 2025-11-25 | Source: The Register
Akira ransomware affiliates are exploiting vulnerabilities in SonicWall firewalls during mergers and acquisitions, gaining access to larger enterprises through compromised devices from smaller acquired companies. ReliaQuest's analysis revealed that these attacks involved buggy SSL VPN appliances and misconfigurations, allowing attackers to leverage zombie credentials and predictable hostnames. The average time from initial access to ransomware deployment was under an hour, highlighting critical security gaps during M&A processes.
Corporate predators get more than they bargain for when their prey runs SonicWall firewalls
2025-11-26 | Cyber Security News: Akira Ransomware Uses SonicWall VPN Exploit to Exfiltrate Sensitive Data
The Akira ransomware group is exploiting vulnerabilities in SonicWall SSL VPN devices during mergers and acquisitions (M&A), targeting inherited IT infrastructures with outdated security. Analyzed incidents from June to October 2025 show attackers swiftly exfiltrating data and deploying ransomware, often within hours. Weaknesses include unchanged passwords, unpatched vulnerabilities, and inconsistent endpoint protection. Without proper asset discovery and credential management, organizations face significant risks during M&A transitions.
2025-11-26 | TechRadar: Ransomware hackers attack SMBs being acquired to try and gain access to multiple companies
Ransomware hackers are targeting SMBs during acquisitions, exploiting compromised assets. ReliaQuest reports that Akira ransomware often infects companies through unpatched SonicWall SSL VPN appliances. A recent patch for CVE-2025-40601, a high-severity buffer overflow flaw affecting Gen7 and Gen8 firewalls, was released by SonicWall. Despite patches and MFA, vulnerabilities remain. The report highlights the risks of acquiring devices with existing infections, leaving critical vulnerabilities exposed.
2025-11-27 | CSO Online: SonicWall ransomware attacks offer an M&A lesson for CSOs
Recent ransomware attacks targeting organizations with SonicWall SSL VPNs highlight the importance of involving infosec leaders in mergers and acquisitions (M&A). A report by Reliaquest indicates that many victim firms had vulnerable SonicWall devices from past acquisitions, which hackers exploited using the Akira ransomware strain. The attacks occurred between June and October, emphasizing the need for effective patch management and identity and access control to prevent such breaches.
$262 million stolen in account takeover fraud schemes this year, FBI says ahead of holiday season
Date: 2025-11-25 | Source: Recorded Future
The FBI reported over $262 million lost to account takeover (ATO) fraud in 2023, with more than 5,100 complaints received. Cybercriminals use social engineering to impersonate financial institutions, tricking users into revealing credentials. They exploit fears of fraudulent transactions through spoofed messages. The agency warns of increased malicious domains related to holiday shopping, with AI enhancing scam tactics. Over 1.57 million stolen login accounts from e-commerce sites are available on the dark web.
$262 million stolen in account takeover fraud schemes this year, FBI says ahead of holiday season
2025-11-25 | Security Affairs: FBI: bank impersonators fuel $262M surge in account takeover fraud
Cybercriminals impersonating banks have caused a $262 million surge in account takeover fraud in 2025, according to the FBI. Over 5,100 complaints have been logged, with attackers using social engineering to trick victims into providing credentials and MFA codes. They often create phishing sites mimicking financial portals to capture login information. The FBI recommends victims contact their financial institution immediately, reset passwords, and report incidents to the IC3.
2025-11-26 | The Hacker News: FBI Reports $262M in ATO Fraud as Researchers Cite Growing AI Phishing and Holiday Scams
The FBI reported over $262 million in account takeover (ATO) fraud losses in 2023, with over 5,100 complaints. Cybercriminals impersonate financial institutions to steal sensitive information through social engineering and phishing tactics. They exploit compromised credentials to gain account control and quickly transfer funds. Recommendations for protection include monitoring accounts, using complex passwords, and verifying URLs. Additionally, a rise in AI-driven phishing and holiday scams has been noted, with vulnerabilities in e-commerce platforms being exploited.
2025-11-26 | Infosecurity Magazine: FBI Warns of $262M Losses from Account Takeover Fraud in 2025
The FBI reported over $262 million in losses from account takeover (ATO) fraud since January 2025. Cybercriminals impersonate financial institutions to steal money or information using social engineering and phishing tactics. They manipulate account owners into disclosing credentials through fraudulent communications. Techniques include directing victims to phishing websites and using SEO poisoning to enhance visibility. The FBI recommends various protective measures against ATO scams, though specific steps were not detailed in the article.
2025-11-27 | Malwarebytes Labs: Holiday shoppers targeted as Amazon and FBI warn of surge in account takeover attacks
The FBI has issued a warning about a rise in account takeover (ATO) fraud, coinciding with Amazon's alert to its 300 million customers regarding brand impersonation scams. Scammers use tactics like phishing, fake websites, and impersonation of customer support to steal login credentials. ATO fraud increased by 21% from H1 2024 to H1 2025, with losses exceeding $262 million. Recommendations include using official apps, being cautious with personal information, and utilizing passkeys for better security.
Bluesky X Buy Me a Coffee RSS Feed